A vulnerability called 'VENOM' has been discovered that may allow an attacker to escape the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host operating system. Exploitation of the VENOM vulnerability can potentially expose access to sensitive and personally identifiable information (PII), and, or corporate intellectual property (IP), potentially impacting thousands of organizations and millions of end-users that rely on VMs for the allocation of shared computing resources, connectivity, storage, security, and privacy.
- XEN (Citrix)
- VIRTUALBOX (Oracle)
A vulnerability dubbed VENOM (Virtualized Environment Neglected Operations Manipulation) has been discovered which may allow an attacker to escape the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.
Hypervisors based on XEN, KVM, QEMU and VirtualBox are potentially vulnerable as long as the FDC is enabled (usually enabled by default) or PIIX and ICH9 I/O controllers are configured in the VM environment.
An attacker or the malware used would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
Detection of this vulnerability relies on event monitoring and logging of virtual machine-related FDC use such as /dev/floppy, items such as memory exceptions, I/O interrupts, system calls, and privilege levels.
Please note the following caveats:
- Amazon AWS, VMware, Microsoft Hyper-V, and Bochs hypervisors are not considered impacted by this vulnerability.
- Removal of the Floppy disk controller does not mitigate the issue when PIIX and ICH9 I/O controllers are configured in the VM.
- The user account in the VM must have admin/root privileges for exploitation of this vulnerability to escape to the hypervisor. It appears the vulnerability cannot be remotely exploited from all accounts at this time.
- Third-party hosting providers may or may not be affected by the VENOM vulnerability.
The following vendors have released patches and advisories:
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
- Joyent: https://help.joyent.com/entries/68099220-Security-Advisory-on-Venom-CVE-2015-3456-in-KVM-QEMU
Note: Oracle has yet to release a fix for VirtualBox.
We recommend the following actions be taken:
- Apply appropriate patches provided by vendors to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- If no updates and patches are available, monitor or contact your software vendors for availability.
- Verify with all third-party hosting providers that you use to ensure they are either not affected or have applied the patches.
Vendor patch and advisory resources