Venom Remote Memory Corruption Vulnerability

snakeistock000019991896oldgreymanThere is a serious vulnerability in the QEMU hardware emulator that the Xen and KVM hypervisor uses which allows remote memory corruption and possible exposure to adjacent VM’s running on the same platform. The vulnerability has been dubbed Venom, short for virtualized environment neglected operations manipulation. This bug has been in existence since 2004 however was recently discovered on 05/13/2015 by Jason Geffner of CrowdStrike.  Here is the official CVE description for CVE-2015-3456:

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Oracle VM for x86 (among other hypervisors) is vulnerable depending on your configuration.  The reason this is such a dangerous exploit is due to the fact that it’s vulnerable with the default configuration of OVM.  Most other exploits have only been possible with non-default configurations in the past.  One thing to note: this bug only affects you if you have HVM (Hardware Virtualized Machine) virtual machines that use the emulated floppy driver code.  If you have only PV (ParaVirtualized) vm’s then you are not exposed.

I am attempting to contact Oracle to find out when (if not already) a patch will be available for download.  However I suspect it may be a few days to possibly weeks before they are released as they have to back port all the different versions of Xen with a patched QEMU in the assorted releases of OVM that are currently supported.

I will post an update to this entry when I get more information.  For now, here are the patches that I have been able to find:

QEMU

XEN

RHEL5/6/7/OpenStack

Debian Linux

Ubuntu

It should be noted that installing the patch will require a reboot of all VM’s on the affected platform.  ALso, VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected since they don’t use QEMU.

*** UPDATE ***

I opened a case with Oracle Support and got this response:

Solution ::

With Oracle VM we don’t allow / expose the Virtual Floppy controller so it’s a non-issue.
” For the issue you need a floppy configured for the guest. No floppy, no problem. ”

I’ve been given half accurate information before and I don’t have official confirmation from Oracle other than this.  If I find out anything that conflicts with the statement above I’ll be sure to update this post.

*** UPDATE #2 ***

So it seems my concern was warranted after all.  I just received an email basically stating that OVM 2.2, 3.2 and 3.3 are all exposed and require patches after all.  So far, here’s the relevant information from InfoDOC 2010871.1 on what components need to be patched:

OVM 3.2:
xen-4.1.3-25.el5.127.36.1.src.rpm
xen-4.1.3-25.el5.127.36.1.x86_64.rpm
xen-devel-4.1.3-25.el5.127.36.1.x86_64.rpm
xen-tools-4.1.3-25.el5.127.36.1.x86_64.rpm

OVM 3.3:
xen-4.3.0-55.el6.22.24.src.rpm
xen-4.3.0-55.el6.22.24.x86_64.rpm
xen-tools-4.3.0-55.el6.22.24.x86_64.rpm

I’m guessing you may need to manually update the specific packages called out above to fix the problem in the short term.  Longer term- I’m sure Oracle will come out with a patch/update that will fix the problem.  Stay tuned for a post on how to manually update your systems and how to verify that you’re no longer vulnerable.

 

*** UPDATE #3 ***

Oracle has just released OVM 3.3.3 which fixes the venom bug.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s