CVE-2015-3456 – VENOM

There is a critical Security Advisory concerning a (quite old but newly discovered) Bug in the FDC (Floppy Disk Drive) Virtualization Stack on almost all virtualization platforms except:

  • Microsoft HyperV
  • VMWare

The following Hypervisors ARE affected:

  • Any Version of QEMU
  • Any Hypervisor requiring LibVirt (KVM, Too)
  • Any Version of XEN (OpenSource and Commercial)

 

Please note:

Disabling the Floppy Disk Drive for virtual instances DOES NOT RESOLVE this Vulnerability!

This is a LOCAL Vulnerability only, so please make sure ALL your Staff is informed and no unauthorized people can get shell access to any machine in any way.

Proxmox Customers with Maintenance Contract

For our Proxmox Customers with Maintenance Contract, the Update will be coordinated within the next several days. Upon resolution, 24/7 Monitoring will be carried out by our Surveillance Team.

For all other Proxmox Customers: We will contact you and discuss the further steps that need to be taken.

 

Hosting Customers

We have already updated our core infrastructure and will monitor the infrastructure closely.

Detailed CVE Information

Original release date: 05/13/2015
Last revised: 05/13/2015
Source: US-CERT/NIST
This vulnerability is currently undergoing analysis and not all information is available.
Please check back soon to view the completed vulnerability summary.

Overview
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Further Information: https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/ (opens a new Browser-Tab)