SA95 : VENOM Vulnerability in Virtualization Platforms

SUMMARY

The VENOM vulnerability allows a local guest user in affected virtualized platforms to escape from the virtual environment and execute code on the host. An attacker can use this vulnerability to gain complete access to the host and to the host’s local network and adjacent systems.

AFFECTED PRODUCTS

X-Series

CVE |Affected Version(s)|Remediation
CVE-2015-3456 | 11.0 and later | Not vulnerable
10.0 | Not available at this time.
9.7 | Upgrade to later release with fixes.
9.6 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Only vulnerable when running McAfee Firewall Enterprise. Customers running Check Point or other applications are not affected.

Successful exploit of this vulnerability would first require a compromise of the McAfee Firewall Enterprise instance. Customers should check with their application vendors for any additional information on potential vulnerabilities within their application.

XOS utilizes KVM to run McAfee Firewall Enterprise on APM blades of an X-Series chassis. The impact of this vulnerability is limited in this environment because XOS only runs a single trusted McAfee Firewall Enterprise VM per APM module. Additionally, the McAfee Firewall Enterprise guest and XOS host cooperate within a single security domain to provide firewall services. Therefore, an attacker exploiting the VENOM vulnerability would not cross a significant security boundary. Lastly, there is no inherent trust between APM modules within a chassis, so it would be difficult for an attacker who could utilize this vulnerability to compromise a single APM to pivot to another APM modules within the chassis.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
Auth Connector Login Application
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
IntelligenceCenter
K9
Mail Threat Defense
Malware Analysis Appliance
Malware Analyzer G2
Management Center
Mobile Device Security
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

Virtualized Environment Neglected Operation Manipulation (VENOM) is a defect in QEMU’s virtual Floppy Disk Controller (FDC). FDC is used in multiple virtualization platforms including Xen, KVM, a the native QEMU client. VMWare, Microsoft Hyper-V, and Bochs hypervisors are known not to be impacted. The vulnerability can be exploited regardless of the guest operating system, and even if the virtual floppy drive has been disabled.

An attacker can utilize the VENOM vulnerability to escape from the virtual host. The attacker can use this access to execute code on the host which could result in the attacker gaining elevated privileges on the host’s local network and adjacent systems.

CVE-2015-3456

Severity / CVSSv2 | High / 7.7 (AV:A/AC:L/Au:S/C:C/I:C/A:C) References| SecurityFocus: BID 74640 / NVD: CVE-2015-3456 Impact| Privilege escalation Description | XOS utilizes KVM to run McAfee Firewall Enterprise on APM blades of an X-Series chassis.

REFERENCES

VENOM disclosure - <http://venom.crowdstrike.com/&gt;

REVISION

2020-04-18 Advisury status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-01-17 A fix will not be provided for XOS 9.7. Please upgrade to a later release with the vulnerability fixes.
2017-03-06 Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-07-13 Title Update
2015-05-18 ProxySG, OPIC, and Director are not vulnerable
2015-05-15 AuthConnector, Auth Connector Login Application, and BCAAA are not vulnerable
2015-05-15 Initial public release