Name: Venom - Privilege escalation via emulated floppy disk drive
CVE names: CVE-2015-3456
Status: Solved by vendor
A 'buffer overflow' vulnerability has been discovered in the Floppy Disk Controller (FDC) emulation implemented in the QEMU component used by many hypervisors. The vulnerability, which has been assigned CVE-2015-3456 and is now being referred to as VENOM, was discovered by Jason Geffner of CrowdStrike, Inc. The vulnerability was rated as having an Important impact.
The Floppy Disk Controller (FDC) in QEMU allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code in certain FDC commands.
The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, VirtualBox, and the native QEMU client.
This vulnerability may allow an attacker to escape from an affected guest virtual machine (VM) and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
This issue affects all x86 and x86-64 QEMU based guests, regardless of their machine type. It is also exposed regardless of presence of any floppy related QEMU command line options so even guests without floppy disk explicitly enabled in the configuration files are affected.
Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
QEMU 2.3.0 and previous versions.
QEMU has published the fix here:
Most of vendors has published fixes and patches to solve this vulnerability.
redBorder servers are based in CentOS operating system. Some products of redBorder uses a QEMU based virtualization engine. To fix this vulnerability you only have to update the qemu-kvm package.
# yum update qemu-kvm -y
Crowdstrike – Venom report - http://venom.crowdstrike.com/
CVE-2015-3456 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
RedHat articles - VENOM: QEMU vulnerability (CVE-2015-3456) - https://access.redhat.com/articles/1444903
RedHat security blog: VENOM, don’t get bitten - https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
XSA Advisories - http://xenbits.xen.org/xsa/advisory-133.html
The redBorder CSIRT Group: csirt@redBorder.net