On the 13th May 2015, a critical vulnerability was publicly disclosed that affects the QEMU legacy virtual floppy disk controller (CVE-2015-3456). The vulnerability, which has existed since 2004, was discovered by CrowdStrike, who contacted the respective mailing lists privately in order to perform responsible disclosure.
What is the impact?
The vulnerability itself is caused by an attacker sending specially crafted packets to the QEMU controller, which causes a bypass of the memory buffer reset, resulting in arbitrary code being executed (commonly known as a buffer overflow). Any arbitrary code that is executed is done so on the virtual machine host, which may allow attackers to escape the guest system and gain access to the host.
Due to the large-scale use of virtualisation in the modern corporate infrastructure it was initially believed that this vulnerability was of the most critical severity, but the exploitation of this vulnerability requires administrative (or root) permissions to the guest virtual machine, which can reduce the likelihood of escalation to the virtual host.
One important point to note however is that within data-centers that are in the cloud (or for example, VPS solutions to the public), individuals are able to have full administrative control over their guest systems which may mean that if a host hypervisor is shared amongst several organisations/individuals then the resulting impact of this being exploited is greatly increased.
What systems are affected?
The following platforms are affected:
- Kernel-based Virtual Machine (KVM)
- Xen
- The QEMU client
Microsoft Hyper-V, VMware, Xen systems running x86 PV, and Bochs Hypervisors are not affected.
How can we detect the vulnerability?
Detection of ‘VENOM’ is now available to clients with SureCloud’s “on-demand” scanning functionality. This is automatically included in all other ‘general’ scan policies (i.e. ones not already configured specifically for detection of another vulnerability), where ‘credentials’ scans are being used.
For clients wanting to detect just this vulnerability, a dedicated tool policy has been created called ‘VENOM’, this is called “Vulnerability: VENOM (CVE-2015-3456)”. Again, credentials scans will be needed. The best way to achieve this is usually over a privileged SSH scan.
If you require assistance configuring a scan for this vulnerability in the SureCloud Platform, please raise a support ticket and our security team will assist you as soon as possible.
How can we remediate the vulnerability?
Due to the responsible disclosure performed by CrowdStrike, many vendors were able to create suitable patches for the vulnerability. The virtual machine host is the system that requires the patch update, so individual guests are not the main target for remediation. Many vendors (such as Amazons Web Services) have already been patched, and it is likely the same with other providers.
A vendor patching and advisory list, as provided by CrowdStrike, is as follows:
- Citrix
- Debian
- DigitalOcean
- f5
- FireEye
- Joyent
- Linode
- Liquid Web
- QEMU
- Rackspace
- Red Hat
- Suse
- Ubuntu
- UpCloud
- Xen Project
What mitigiation is possible?
Enabling stubdomains reduces the impact for escalation to those privileges of the service domain.
References
https://venom.crowdstrike.com/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://www.tenable.com/blog/venom-vulnerability-threatens-virtual-machines
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organisation may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.