VENOM vulnerability affects virtual machine environments using QEMU / safecomputing.umich.edu

Fri, 05/15/2015 - 12:00

his information was sent to U-M IT staff groups via email on May 15, 2015.

This message is intended for U-M IT staff who are responsible for maintaining and running university virtual machines.

Summary

The Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability, which affects some software used for virtual machines, could allow an attacker who has privileged access to a single virtual machine to gain unauthorized access to all virtual machines on that host, as well as the host system itself. There are no reported exploits occurring at this time. Some patches are available now, while others are still being prepared and tested by vendors. Those who maintain affected virtual machines should apply the patches as soon as possible after appropriate testing.

Threats

The VENOM vulnerability could allow someone with root access on a virtual machine to reach out of that machine, execute code on the host machine, and access all the virtual machines on that host (that is, access all the virtual machines that share the same hypervisor).

Affected Systems

VENOM affects the open-source virtualization package QEMU. It affects QEMU's Virtual Floppy Disk Controller (FDC), which is used in many virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client.

Action Items

If you are responsible for virtual machines using the affected software, apply the patches as soon as possible after appropriate testing. Check your software vendor's website for patches. CrowdStrike has provided a list of links to vendor patches and more at venom.crowdstrike.com.

Technical Details

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a disruption of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Information for Users

Users do not need to do anything in response to VENOM, because it only affects virtual machines. University IT staff and cloud vendors are responsible for patching machines vulnerable to VENOM.

Questions, Concerns, Reports

Please contact [email protected].

Sincerely,
Don

Donald J. Welch, Ph.D.,
Chief Information Security Officer,
University of Michigan

References

Vulnerability Summary for CVE-2015-3456 (NIST National Vulnerability Database, 5/13/15)
VENOM (CrowdStrike, includes links to vendor patches and more)
For Venom security flaw, the fix is in: Patch your VM today (ZDNet, 5/13/15)
Venom vulnerability bares its fangs: Protect your data center with these patches (TechRepublic, 5/13/15)
Venom Vulnerability Exposes Most Data Centers to Cyber Attacks (The Hacker News, 5/14/15)
Experts' Opinions Mixed On VENOM Vulnerability (Information Week DARK Reading, 5/14/15)
Venom VM bug called “perfect” for NSA, or for stealing bitcoins and passwords (ars technica, 5/13/15)
Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters (ZDNet, 5/13/15)
Not Bigger Than Heartbleed But Venom Vulnerability Could Have Opened Door To Cloud Kingdoms (Forbes, 5/13/15)