Vulnerability warning:“venom（VENOM”the vulnerability affects millions worldwide virtual machine security-vulnerability warning-the black bar safety net

!
CrowdStrike, the company security researchers said that a named“venom（VENOM”QEMU could allow millions of virtual machines in a cyber-attack risk, the vulnerability can cause the virtual machine to escape, the threat to the world’s largest cloud service provider’s data security. QEMU is an instruction-level simulator of free software, is widely used in various GNU/Linux distributions.
The vulnerability principle
This is called the venom（VENOM, numbered CVE-2 0 1 5-3 4 5 6 security vulnerability threatens entire security industry, can cause the virtual machine to escape. QEMU is an instruction-level simulator of free software, is widely used in various GNU/Linux distributions, including Debian, Gentoo, SUSE, RedHat, CentOS, etc.
VENOM vulnerability by CrowdStrike senior security researcher Jason Geffner found, he explained that an attacker can use the vulnerability to hazards of the data center network of any one machine, and millions of virtual machines are vulnerable to exploitation of this vulnerability. Geffner in a blog post said:
“VENOM（CVE-2 0 1 5-3 4 5 6 a present in the virtual floppy drives the FDC code for the security vulnerability, the code exists in many computer virtualization platform. The vulnerability may allow an attacker from the infected virtual machine to get a guest limit, and it is possible to get the host code execution permissions. In addition, an attacker also can use it to access the host system and running on the host all virtual machines, and be able to enhance the important access, so that the attacker can access the host in the local network and the neighbor system.”
Clientoperating systemby the wanted to FDC input and output port to send to search, read, write, format and other instructions with the FDC to communicate. QEMU virtual FDC using a fixed-size buffer to store the instruction and its associated data parameters. FDC track and is expected of each instruction how much data, in the instruction of all the expected data reception is completed, the FDC will execute the next instruction and clear the buffer for the next instruction.
After processing all of the FDC instruction in addition to the two defined command, it will immediately reset the buffer. The attacker can be from the client system sends these instructions and elaborate the parameters of the data to the FDC, so that overflow of the data buffer, and the host of the monitoring program the process environment in the execution of arbitrary code.
! [](/Article/UploadPic/2015-5/2 0 1 5 5 1 5 0 3 6 2 3 1 3 7. png)
Vulnerability
VENOM is a“virtual environment is the neglect of the business operations”of the abbreviation, which is capable of affecting QEMU floppy disk controller driver vulnerabilities, QEMU is used to manage the virtual machine open-source PC simulator. The attacker can be from the client system to send commands and crafting of the parameter data to the floppy disk controller, in order to cause the data to a buffer overflow, and in the host management program the process environment in the execution of arbitrary code.
VENOM is very dangerous, because if to be able to exploit the vulnerability, it will affect the world within the scope of a large number of virtualization platform, and its running condition is very simple, need only in the default configuration of the virtual machine can be, the most important is, it can execute arbitrary code. The expert explained that the VENOM will be able to impact thousands of institutions and millions of end users. The attacker can make the monitoring program to crash, and be able to get the target machine and on which all the virtual machines running control.
Geffner explains:
“The use of VENOM vulnerabilities can expose corporate intellectual property access, in addition to sensitive data and personal identity information, may also affect thousands of relevant agencies and millions of end-users, these organizations and users rely on the affected virtual machine to allocate shared computing resources, connectivity, storage, security and privacy services.”
The vulnerability exists in the QEMU virtual floppy Controller FDC, and FDC codes used in many virtualization platforms and devices, especially Xen, KVM as well as the local QEMU client. However, VMware, Microsoft hyper-V and Bochs management program is not affected by the vulnerability.
!
Vulnerability POC
#include /io. h>
#define FIFO 0x3f5
int main() {
int i;
iopl(3);
outb(0x0a,0x3f5); /* READ ID */
for (i=0;i
Safety recommendations
If you manage a run Xen, KVM or a local QEMU client system, we recommend that you review and apply the latest vulnerability patches.
If you’re using a provider’s service or equipment affected by this vulnerability, it is recommended that you as soon as possible contact the supplier of the support group and consult the product whether it has fixed this vulnerability or whether the release of vulnerability patches.
Reference: published patch the provider
QEMU: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
Red Hat: https://access.redhat.com/articles/1444903
Citrix: http://support.citrix.com/Article/CTX201078
FireEye: https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf
Linode: https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/
Rackspace: https://community.rackspace.com/general/f/53/t/5187
Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
Suse: https://www.suse.com/support/kb/doc.php?id=7016497
DigitalOcean: https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/
f5: https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html