Cloud IaaS & CVE-2015-3456 (VENOM) Security Vulnerability

CVE-2015-3456 or VENOM Security Vulnerability is a new Vulnerability. VENOM stands for Virtualized Environment Neglected Operations Manipulation. This CVE-2015-3456 (VENOM) is a security vulnerability within the QEMU service used to run instances within the Cloud Service provider. This vulnerability may allow a malicious user to escape a virtual instance and potentially gain access to the host node running the instance.

More Information on CVE-2015-3456 (VENOM) Security Vulnerability

Most of the Cloud IaaS providers either has published publicly readable information about CVE-2015-3456 (VENOM) or has sent emails to the users. Jason Geffner of CrowdStrike (Senior Security Researcher) discovered that QEMU incorrectly handled the virtual floppy driver. This is VENOM or CVE-2015-3456.

Daniel P. Berrange discovered that QEMU incorrectly handled VNC web sockets. This is CVE-2015-1779. Jan Beulich discovered that QEMU, when used with Xen, didn’t properly restrict access to PCI command registers. This is CVE-2015-2756. It is estimated that the VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase. This vulnerability was discovered at the end of April 2015 and was kept hidden to protect the users from the script kiddies till the patch was discovered.

From the infographics, as you can understand; your provider has the major works, you need to do less :

This flaw escapes the requirement of the floppy device to be present in /dev/ location within the guest. User-level access to a guest with sufficient permissions to talk to FDC I/O ports is all that is required to exploit this flaw.

What to Do With CVE-2015-3456 (VENOM) Security Vulnerability as Cloud IaaS User

At the user level, you can perform a routine update after your cloud service provider has notified you about applying the patch or sent a green signal because a guest would continue running using the old, not updated QEMU binary, like in case of Ubuntu :

Then reboot :

For REHL you’ll need to do :

You can update the sources.list to the official repo after taking the backup (Ubuntu 14.04). Keeping the sources.list to provider’s mirror probably is not a good idea for a tight security.

As from Red Hat’s advice – to mitigate the overall risk of this vulnerability, only grant privileged guest access to trusted users. VENOM vulnerability exists in the hypervisor™s codebase, the vulnerability is independent of the type of host operating system. This vulnerability works on GNU/Linux, OS X, Microsoft Windows and the others.

This security flaw can affect both Xen and KVM virtualization. You should read the article on CrowdStrikeâ„¢ ‘s VENOM specific subdomain for the latest information.