** WHITE information - Unlimited distribution allowed **
** see https://go.egi.eu/tlp for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-CSIRT-2015-05-13]
Title: EGI SVG and CSIRT Advisory "Critical/Low". "VENOM: QEMU vulnerability (CVE-2015-3456)"
Date: 2015-05-13
Updated: 2015-05-15
URL: https://go.egi.eu/CSIRT_Alerts/VENOM-2015-05-13
Introduction
============
A serious vulnerability has been found in virtualization software, granting, in the
worst case scenario, arbitrary code execution on the host to privileged guest users.
This may allow an attacker to gain privileged access to other guests on the same
host.
All x86 and x86-64 based HVM Xen and QEMU/KVM guests are affected.
Patches are available for most software see [R3-R7], [R 9]
Details
=======
For a description of this vulnerability see [R 1],[R 8] and [R 13]
A description by RedHat is in [R 2]
A Proof of Concept exploit (self DOS) is now available [R 11].
There is no indication of a public exploit granting arbitrary code execution on the
host yet, but such exploits are expected.
Risk category
=============
Depending on the virtualization configuration and usage, this vulnerability can be
rated between 'Critical' and 'Low'.
Site falling in ANY of the following categories MUST consider this vulnerability as
'Critical':
- EGI Federated Cloud provider
- VOs/users allowed to instantiate/run their own VMs
- Privileged access given to VOs/users on VMs
- Cloud services offered to different parties on shared hypervisors
However, we recommend any site using virtualization technology to fix this
vulnerability as soon as possible: the situation may evolve.
Affected software
=================
For Red Hat
-----------
This has been fixed for various versions. See [R 3]
For Debian
-----------
This is now fixed for Debian
See [R 4], [R 7]
For Ubuntu
-----------
This is now fixed for Ubuntu. See [R 5], [R 9]
Xen
----
See [R 6]
Virtual Box
-----------
This appears to be partially affected [R 12]
Mitigation
==========
SELinux and in particular sVirt, if properly configured and used, can protect
escalations on the host, see [R 14].
Component installation information
==================================
See software providers information.
Note, as the qemu processes need to be renewed, every running VM need to be
stopped and restarted. Simple reboot from within the VM do not fix the problem.
Recommendations
===============
EGI Federated Cloud Sites are strongly recommended to update relevant
components, and follow the instructions provided by the software vendors to
mitigate the risk as soon as possible.
Credit
======
This vulnerability was discovered by Jason Geffner CrowdStrike Senior Security
Researcher and SVG alerted by Sven Gabriel the EGI Security officer [R 1]
References
==========
[R 1] http://venom.crowdstrike.com/
[R 2] https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
[R 3] https://access.redhat.com/articles/1444903
[R 4] https://security-tracker.debian.org/tracker/CVE-2015-3456
[R 5] https://bugs.launchpad.net/bugs/cve/2015-3456
[R 6] Xen info http://seclists.org/oss-sec/2015/q2/421
[R 7] Debian
https://lists.debian.org/debian-security-announce/2015/msg00148.html
[R 8] http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-
bug-threatens-cloud-providers-everywhere/
[R 9] http://www.ubuntu.com/usn/usn-2608-1/
[R 10] http://blog.erratasec.com/2015/05/some-technical-notes-on-
venom.html#.VVRYlPNwbq4
[R 11] http://www.openwall.com/lists/oss-security/2015/05/13/29
[R 12] https://news.ycombinator.com/item?id=9541982
[R 13] http://openwall.com/lists/oss-security/2015/05/14/12
[R 14] http://maciej.lasyk.info/2015/May/13/selinux-svirt-vs-venom-vulnerability/
Comments
========
Comments or questions should be sent to svg-rat@mailman.egi.eu
We are currently revising the vulnerability issue handling procedure so
suggestions and comments are welcome.
Timeline
========
Yyyy-mm-dd
2015-05-13 SVG alerted to this issue by Sven Gabriel the EGI Security officer
2015-05-13 Advisory/alert drafted and sent to sites
2015-05-15 Advisory/alert updated.