There has been some silent times on serious big vulnerabilities (I don’t contain the usual Java, Flash and Windows things that come and go al the time). Not it seems that another branded open source security bomb has droppied: ‘Venom’ Security Vulnerability Threatens Most Datacenters. So this new vulnerability has a brand name VENOM (Virtualized Environment Neglected Operations Manipulation) and website. But what is this all about? Is this just lot of hype about nothing to be honest and scaremongering, real issue? Let’s look out for deails.
A new vulnerability (CVE-2015-3456) found in open source virtualization software QEMU has been found. As such that does not sound so bad because to my knwoledge QEMU as such is not everywhere. The things seem turn to more dangerous when you get to know that vulnerable code is used in Xen, KVM, and VirtualBox, while VMware. This list covers pretty largelyof the virtualization software widely used in data centers and developers to run virtual machine (this time Hyper-V and Bochs are unaffected at least yet).
VENOM web site says: “VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.”
So what’s the issue here you might ask. Floppy drives are outdated, so why are these products still vulnerable? For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default, sometimes hiddenly.
Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems. Headlines write even that Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters. I wait and see how things develop.
Here is a description of VENOM attack from VENOM web site:
1 Comment
Tomi Engdahl says:
Oracle releases antidote for VENOM vulnerability
Patch but don’t panic
http://www.theregister.co.uk/2015/05/19/oracle_patches_venom/
Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts.
The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem.
Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulation) (CVE-2015-3456) and notified the Oracle, QEMU, and Xen mailing lists.
“The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualisation platforms and is used in some Oracle products,” the company says in a patch advisory.
“The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC.
The vulnerability can only be remotely exploited if attackers are logged into a box but Oracle still considers it severe enough to “strongly recommend” customers apply the patches and reboot as soon as possible.
That limitation prevented mass exploitation.
Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28; Oracle VM 2.2, 3.2, and 3.3, and Oracle Linux 5, 6, and 7.