Today the VENOM (Virtualized Environment Neglected Operations Manipulation) vulnerability, CVE 2015-3456, was announced. VENOM originates in a legacy virtual floppy disk controller from QEMU. If an attacker sends specially crafted code to the controller, it can crash the hypervisor and allow the attacker to break out of the VM to access other machines. VENOM impacts several popular virtualization platforms that include the QEMU controller, including Xen, KVM, and Oracle’s VirtualBox. Patches for QEMU and Xen are already available. To date, no exploit has been observed in the wild. Other virtual machine platforms such as VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
“While we have previously seen VM bugs that require custom configurations,” explained Tenable Strategist Cris Thomas, “they did not allow arbitrary code execution. VENOM is a unique VM sandbox escape that could potentially provide access to other hosts.”
“Even if the floppy disk controller is disabled, VENOM could still affect data centers,” continued Thomas. “Users should patch their QEMU and Xen platforms; users of other systems should contact their vendors to determine when patches will be available.”
New plugins, dashboards and log detections (Updated)
Tenable Network Security has developed new plugins for Nessus®, dashboards for SecurityCenter™ and vulnerability log detections for SecurityCenter Continuous View™ that will help customers identify and remediate this vulnerability on their networks.
|CentOS 5||83420, 83421|
|Debian 7 & 8||83422|
|Oracle Linux 6||83444|
|Oracle Linux 7||83445|
|RHEL 5||83429, 83430|
|RHEL 6||83425, 83428|
|RHEL 7||83426, 83427|
|Scientific Linux 5||83457, 83460|
|Scientific Linux 6||83458|
|Scientific Linux 7||83459|
A customized SecurityCenter dashboard is available via the feed to monitor, track and remediate critical assets (including QEMU, Xen, KVM and Oracle’s VirtualBox) affected by CVE-2015-3456. The dashboard provides insight on the impact to your environment and the progress of your efforts to remediate the VENOM issue.
The SecurityCenter CV Log Correlation Engine™ now detects CVE-2015-3456 in QEMU, Xen, KVM and Oracle’s VirtualBox via Windows and Linux logs. SecurityCenter CV LCE detections are posted on the plugins page as soon as they are available.
This blog is updated as events warrant.