VENOM Vulnerability Threatens Virtual Machines (Updated)
Today the VENOM (Virtualized Environment Neglected Operations Manipulation) vulnerability, CVE 2015-3456, was announced. VENOM originates in a legacy virtual floppy disk controller from QEMU. If an attacker sends specially crafted code to the controller, it can crash the hypervisor and allow the attacker to break out of the VM to access other machines. VENOM impacts several popular virtualization platforms that include the QEMU controller, including Xen, KVM, and Oracle’s VirtualBox. Patches for QEMU and Xen are already available. To date, no exploit has been observed in the wild. Other virtual machine platforms such as VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
“While we have previously seen VM bugs that require custom configurations,” explained Tenable Strategist Cris Thomas, “they did not allow arbitrary code execution. VENOM is a unique VM sandbox escape that could potentially provide access to other hosts.”
“Even if the floppy disk controller is disabled, VENOM could still affect data centers,” continued Thomas. “Users should patch their QEMU and Xen platforms; users of other systems should contact their vendors to determine when patches will be available.”
New plugins, dashboards and log detections (Updated)
Tenable Network Security has developed new plugins for Nessus®, dashboards for SecurityCenter™ and vulnerability log detections for SecurityCenter Continuous View™ that will help customers identify and remediate this vulnerability on their networks.
| Distribution | Plugin |
|---|---|
| CentOS 5 | 83420, 83421 |
| CentOS 6 | 83418 |
| CentOS 7 | 83419 |
| Debian 7 & 8 | 83422 |
| Oracle Linux 6 | 83444 |
| Oracle Linux 7 | 83445 |
| OracleVM 2.2 | 83484 |
| OracleVM 3.2 | 83483 |
| OracleVM 3.3 | 83482 |
| RHEL 5 | 83429, 83430 |
| RHEL 6 | 83425, 83428 |
| RHEL 7 | 83426, 83427 |
| Scientific Linux 5 | 83457, 83460 |
| Scientific Linux 6 | 83458 |
| Scientific Linux 7 | 83459 |
| Ubuntu 12.04/14.04/14.10/15.04 | 83438 |
A customized SecurityCenter dashboard is available via the feed to monitor, track and remediate critical assets (including QEMU, Xen, KVM and Oracle’s VirtualBox) affected by CVE-2015-3456. The dashboard provides insight on the impact to your environment and the progress of your efforts to remediate the VENOM issue.
The SecurityCenter CV Log Correlation Engine™ now detects CVE-2015-3456 in QEMU, Xen, KVM and Oracle’s VirtualBox via Windows and Linux logs. SecurityCenter CV LCE detections are posted on the plugins page as soon as they are available.
This blog is updated as events warrant.
Related Articles
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Virtualization