VENOM
|
Size: 1213
Comment:
|
← Revision 28 as of 2025-04-17 11:56:08 ⇥
Size: 3421
Comment: Migrated to main website
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## eg '== GNU C Library buffer overflow in __nss_hostname_digits_dots() (CVE-2015-0235 aka GHOST) ==' == <UPSTREAM NAME> <VULNERABILITY TYPE> in <CODE SECTION> (CVE-YYYY-NNNN [aka <NAME IN MEDIA>]) == |
#DEPRECATED #REFRESH 10 https://ubuntu.com/security/vulnerabilities/venom == QEMU buffer overflow in the floppy disk controller (CVE-2015-3456 aka VENOM) == |
| Line 5: | Line 7: |
| It was [[<PUBLIC URL> | discovered]] that .... An attacker could use this issue to ..., resulting in .... | It was [[http://venom.crowdstrike.com/ | discovered]] that a buffer overflow existed in the virtual floppy disk controller of QEMU. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host's QEMU process. This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes !OpenStack's use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an !AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment's attack surface. |
| Line 12: | Line 16: |
| This issue was fixed in <UPSTREAM NAME> in <UPSTREAM VERSION>. Ubuntu <LIST OF UBUNTU VERSIONS> were affected. To address the issue, ensure that [[https://launchpad.net/ubuntu/+source/<source>/<version>|<source> <version>]] (Ubuntu <UBUNTU RELEASE>)... is/are installed. These updates were announced in [[http://www.ubuntu.com/usn/<USN>|USN XXX-N]]. | A fix for this issue has been [[ http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c | committed ]] in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that [[https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.22 | qemu-kvm 1.0+noroms-0ubuntu14.22]] (Ubuntu 12.04 LTS), [[https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.11 | qemu 2.0.0+dfsg-2ubuntu1.11]] (Ubuntu 14.04 LTS), [[https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.6 | qemu 2.1+dfsg-4ubuntu6.6]] (Ubuntu 14.10), [[https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.1 | qemu 1:2.2+dfsg-5expubuntu9.1]] (Ubuntu 15.04) are installed. These updates were announced in [[http://www.ubuntu.com/usn/usn-2608-1 | USN 2608-1]]. |
| Line 19: | Line 23: |
| * YYYY Mon DD: ... * YYYY Mon DD: ... |
* 2015 Apr 30: The Ubuntu Security Team is notified by !CrowdStrike via the linux-distros list, with a pending CRD of 2015-05-13 12:00 UTC * 2015 May 13: Issue became public a few hours before the CRD via [[ https://twitter.com/staatsgeheim/status/598419888781266944 | twitter ]] and [[ http://www.reddit.com/r/sysadmin/comments/35tclh/venom_hypervisor_vm_escape_via_floppy_drive_bugs/ | reddit ]] with links to !CrowdStrike's [[ http://venom.crowdstrike.com/ | VENOM ]] page * 2015 May 13: !CrowdStrike sent a [[ http://www.openwall.com/lists/oss-security/2015/05/13/3 | notification email ]] to the oss-security mailing list * 2015 May 13: Ubuntu released security updates ([[http://www.ubuntu.com/usn/usn-2608-1 | USN 2608-1]]) * 2015 May 13: Cloud Archive's Kilo (14.04) pocket received the QEMU security update * 2015 May 14: Cloud Archive's Icehouse (12.04) pocket received the QEMU security update |
| Line 22: | Line 30: |
| -- | ==== Cloud Archive updates ==== * Ubuntu Cloud Archive Icehouse pocket for 12.04: qemu 2.0.0+dfsg-2ubuntu1.11~cloud0 is available * Ubuntu Cloud Archive Kilo pocket for 14.04: qemu 1:2.2+dfsg-5expubuntu9.1~cloud0 is available ---- |
QEMU buffer overflow in the floppy disk controller (CVE-2015-3456 aka VENOM)
It was discovered that a buffer overflow existed in the virtual floppy disk controller of QEMU. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host's QEMU process.
This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack's use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment's attack surface.
A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed. These updates were announced in USN 2608-1.
Timeline
2015 Apr 30: The Ubuntu Security Team is notified by CrowdStrike via the linux-distros list, with a pending CRD of 2015-05-13 12:00 UTC
2015 May 13: Issue became public a few hours before the CRD via twitter and reddit with links to CrowdStrike's VENOM page
2015 May 13: CrowdStrike sent a notification email to the oss-security mailing list
2015 May 13: Ubuntu released security updates (USN 2608-1)
- 2015 May 13: Cloud Archive's Kilo (14.04) pocket received the QEMU security update
- 2015 May 14: Cloud Archive's Icehouse (12.04) pocket received the QEMU security update
Cloud Archive updates
- Ubuntu Cloud Archive Icehouse pocket for 12.04: qemu 2.0.0+dfsg-2ubuntu1.11~cloud0 is available
- Ubuntu Cloud Archive Kilo pocket for 14.04: qemu 1:2.2+dfsg-5expubuntu9.1~cloud0 is available
QEMU buffer overflow in the floppy disk controller (CVE-2015-3456 aka VENOM)
It was discovered that a buffer overflow existed in the virtual floppy disk controller of QEMU. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host's QEMU process.
This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack's use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment's attack surface.
A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed. These updates were announced in USN 2608-1.
Timeline
2015 Apr 30: The Ubuntu Security Team is notified by CrowdStrike via the linux-distros list, with a pending CRD of 2015-05-13 12:00 UTC
2015 May 13: Issue became public a few hours before the CRD via twitter and reddit with links to CrowdStrike's VENOM page
2015 May 13: CrowdStrike sent a notification email to the oss-security mailing list
2015 May 13: Ubuntu released security updates (USN 2608-1)
- 2015 May 13: Cloud Archive's Kilo (14.04) pocket received the QEMU security update
- 2015 May 14: Cloud Archive's Icehouse (12.04) pocket received the QEMU security update
Cloud Archive updates
- Ubuntu Cloud Archive Icehouse pocket for 12.04: qemu 2.0.0+dfsg-2ubuntu1.11~cloud0 is available
- Ubuntu Cloud Archive Kilo pocket for 14.04: qemu 1:2.2+dfsg-5expubuntu9.1~cloud0 is available
SecurityTeam/KnowledgeBase/VENOM (last edited 2025-04-17 11:56:08 by lucistanescu)