Tópico: Venom vulnerability
13-05-2015, 18:29 #1
A Vultr publicou uma nota de esclarecimento no site, após ter derrubado o serviço ao mesmo tempo, e sem qualquer aviso, nas 3 regiões em que eu tenho instâncias rodando (achei que tinham suspendido a minha conta )
05/13/15 4:00 pm EDT
The Vultr security team is rolling out a security update which is being transparently applied to all instances. A small portion of instances may require a restart to fully apply the patches, and this will be done automatically. Our teams will continue to diligently review and monitor the global platform and keep you updated of any issues.
A Amazon publicou nota dizendo que a vulnerabilidade não afeta as VMs do AWS.
13-05-2015, 18:33 #2
14-05-2015, 11:04 #3
Virtualized Environment Neglected Operations Manipulation
Discovered by Jason Geffner, CrowdStrike Senior Security Researcher_____________________
Vendor advisories, patches, and notifications available below in Q&A section.
VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.
14-05-2015, 11:08 #4
What products are affected?
The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.
Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).
Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
What vendors have released patches and advisories?
CrowdStrike is aware of the following vendor patches, advisories, and notifications.
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0 718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
We recommend you reach out to your vendors directly to get the latest security updates.
Floppy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
How is this different from previous VM escape vulnerabilities?
Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.
- CVE-2007-1744 – Directory traversal vulnerability in shared folders feature
- CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation
- CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability)
- CVE-2011-1751 – Missing hotplug check during device removal
- CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability
- CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities
VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.
What is the vulnerability?
The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.
This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.
How long has this bug existed?
The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.
14-05-2015, 20:09 #5
É muita coincidência eu ter reinstalado o Debian em 2 VPS KVM de provedores diferentes e ambos servidores não terem conexão IPv4. Troco do patch do Venom? Nenhum dos 2 provedores conseguiu resolver a encrenca até agora.
15-05-2015, 23:44 #6
- Data de Ingresso
- May 2014
- Rio de Janeiro
Recebi um e-mail ontem da Backupsy informando esse venom, e duranta a madrugada eles reiniciaram todas maquinas para aplicar as alterações.