This week a vulnerability, dubbed VENOM (CVE-2015-3456), was discovered in the floppy disk driver code of the hardware emulator and virtualization software called QEMU (Quick Emulator). This might sound otherwise pretty esoteric, but it just so happens that the QEMU software is used in some very popular cloud and virtualization platforms. According to the research the affected packages are KVM (Kernel Virtual Machine), Xen, Oracle VM, and any other products that might use QEMU directly to virtualize workloads.
Virtual machine platforms that do not rely on the QEMU code, like VMware, Microsoft Hyper-V, and Bochs, are not affected by VENOM.
So far no reports that this particular vulnerability has been exploited have emerged “in the wild”, but it deserves specific attention because of the broad number of potential systems at risk and the significance of the hypothetical use of this flaw to leverage a Guest-to-Host virtual machine “escape” which represents another novel way for an attacker to penetrate further into your environment and potentially expose adjacent cloud or virtualized workloads that they wouldn’t normally have been able to see or access without exploiting this flaw. The VENOM site page includes a handy visual representation of this envisioned attack.
The good news is that the patches required to resolve this issue are relatively easy to implement and Halo can help you quickly identify any vulnerabilities in your infrastructure.
With Halo and SVA you can easily do a complete software inventory and vulnerability assessment and determine if you have any instances of the vulnerable software, like the packages: xen, QEMU, and QEMU-kvm. Once, you determine what software you have is vulnerable you can update any vulnerable packages to a patched versions. Debian, Ubuntu, CentOS, and Red Hat have already issued patches that fix the VENOM vulnerability.
Note: Most companies that use the cloud will not be in a position to directly respond to the VENOM vulnerability as this is actually more of a cloud infrastructure issue, and you will see the cloud service providers that use affected virtual machines rushing quickly to patch any affected virtual machines.
At the time of this blog’s publication you should be able to initiate a Halo Software Vulnerability Analysis scan and be able to detect whether or not the version of xen, QEMU-kvm, or QEMU that are installed on your servers are vulnerable.
For more information on how to run the scan, click here.