The vulnerability is agnostic of the host operating system
Jason Geffner, CrowdStrike Senior Security Researcher, discovered a new vulnerability which potentials puts millions users at risk. The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.
This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.
The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase. Good news is that VENOM has not been seen in the wild, but that does not necessarily mean someone might not have used it before.
Amazon Web Services released a statement, that their customers are not at risk.
We are aware of the QEMU security issue assigned CVE-2015-3456, also known as “VENOM,” which impacts various virtualized platforms. There is no risk to AWS customer data or instances.
Rackspace also released a statement saying their customers are not at risk as well.
…applied the appropriate patch to our infrastructure and are working with customers to remediate fully this vulnerability.
Google on the another hand said they “don’t use vulnerable software” so they are not at risk as well. Since Microsoft Azure users their own program, most MS customers are protected.
Admins Patch Your System
If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.
If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.
CrowdStrike is aware of the following vendor patches, advisories, and notifications.
- QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
- Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
- Red Hat: https://access.redhat.com/articles/1444903
- Citrix: http://support.citrix.com/article/CTX201078
- FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
- Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
- Rackspace: https://community.rackspace.com/general/f/53/t/5187
- Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
- Suse: https://www.suse.com/support/kb/doc.php?id=7016497
- DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
- f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html
- Joyent: https://help.joyent.com/entries/68099220-Security-Advisory-on-Venom-CVE-2015-3456-in-KVM-QEMU
- Liquid Web: http://www.liquidweb.com/kb/information-on-cve-2015-3456-qemu-vulnerability-venom/
- UpCloud: http://status.upcloud.com/incidents/tt05z2340wws
We recommend you reach out to your vendors directly to get the latest security updates.