Overview
VENOM / CVE-2015-3456 is a kind of ‘buffer overflow’ vulnerability in the QEMU Floppy Disk Controller (FDC) emulation. This vulnerability affects a variety of software products relying on QEMU itself or the Floppy Disk Controller emulation part only. Even if floppy disk emulation is not available, the vulnerability can be triggered.
Vulnerable systems
Vulnerable systems to CVE-2015-3456:
A maintenance release of the Oracle VirtualBox 4.3.28 should be released soon to fix CVE-2015-3456.
Non-vulnerable systems
The systems not vulnerable to CVE-2015-3456 are:
- Bochs
- Microsoft Hyper-V
- VMware
Impact of such vulnerability in virtualization technologies
As mentioned in NIST SP 800-125 - Guide to Security for Full Virtualization Technologies
Full virtualization has some negative security implications. Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Also, combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs. Further, some virtualization systems make it easy to share information between the systems; this convenience can turn out to be an attack vector if it is not carefully controlled. In some cases, virtualized environments are quite dynamic, which makes creating and maintaining the necessary security boundaries more complex.
The impact of vulnerability in a virtualized environment should not be underestimated.
References
- VENOM Virtualized Environment Neglected Operations Manipulation
- Previous KVM vulnerabilities (2011) with a public exploit - virtunoid – a guest -> host breakout for qemu-kvm - Virtunoid: Breaking out of KVM
- VENOM: QEMU vulnerability (CVE-2015-3456)
- Historical view of confirmed vulnerabilities in qemu
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:WHITE - First version