VENOM

From HandWiki

VENOM (short for Virtualized Environment Neglected Operations Manipulation[1]) is a computer security flaw that was discovered in 2015 by Jason Geffner, then a security researcher at CrowdStrike.[2] The flaw was introduced in 2004 and affected versions of QEMU, Xen, KVM, and VirtualBox from that date until it was patched following disclosure.[3][4]

The existence of the vulnerability was due to a flaw in QEMU's virtual floppy disk controller.[5]

VENOM is registered in the Common Vulnerabilities and Exposures database as CVE-2015-3456.[6]

Background

QEMU is a widely used emulator and hypervisor that provides device emulation and virtualization for a variety of platforms and is reused by higher-level virtualization systems such as Xen and KVM.[7]

The VENOM vulnerability arose from a defect in QEMU's implementation of this FDC, which is used not only by standalone QEMU deployments but also by a range of virtualization platforms and cloud infrastructures that embed the relevant code.[7][8]

Discovery and disclosure

The vulnerability was discovered by Jason Geffner, a senior security researcher at CrowdStrike, during a security review of virtual machine hypervisors. CrowdStrike coordinated disclosure with QEMU maintainers and affected vendors, including the Xen Project and Linux distribution providers, before the issue was publicly announced.[9][8]

The vulnerability was disclosed publicly on 13 May 2015, together with a branded website and logo under the name "VENOM", and assigned the identifier CVE-2015-3456. Security advisories and updates were issued in quick succession by vendors such as Red Hat, SUSE, Oracle and IBM in the days following disclosure.[10][11][12]

References

  1. Richard A. Clarke; Robert K. Knake (2019). The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. Penguin. pp. 320–. ISBN 978-0-525-56197-2. https://books.google.com/books?id=ADx0DwAAQBAJ&pg=PA320. 
  2. "VENOM Vulnerability". http://venom.crowdstrike.com/. 
  3. Whittaker, Zack (May 13, 2015). "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters". https://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/. 
  4. Dan Goodin (May 14, 2015). "Extremely serious virtual machine bug threatens cloud providers everywhere". Ars Technica. https://arstechnica.com/information-technology/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/. Retrieved 11 November 2017. 
  5. Stone, Jeff (May 14, 2015). "Venom Security Flaw: Bug Exploits Floppy Drive, But Researchers Say Threat Overstated". International Business Times (IBT Media). http://www.ibtimes.com/venom-security-flaw-bug-exploits-floppy-drive-researchers-say-threat-overstated-1922070. Retrieved 11 November 2017. 
  6. Marc Dacier; Michael Bailey; Michalis Polychronakis; Manos Antonakakis (2017). Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. Springer. pp. 422–. ISBN 978-3-319-66332-6. https://books.google.com/books?id=I6Q5DwAAQBAJ&pg=PA422. 
  7. 7.0 7.1 "TR-37 – VENOM / CVE-2015-3456 – Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation". May 2015. https://www.circl.lu/pub/tr-37/. 
  8. 8.0 8.1 "CVE-2015-3456". Debian Project. https://security-tracker.debian.org/tracker/CVE-2015-3456. 
  9. "CVE-2015-3456". Red Hat. https://access.redhat.com/security/cve/cve-2015-3456. 
  10. "CVE-2015-3456". SUSE. https://www.suse.com/security/cve/CVE-2015-3456.html. 
  11. "Oracle Security Alert for CVE-2015-3456 ("VENOM")". 15 May 2015. https://www.oracle.com/security-alerts/cve-2015-3456.html. 
  12. "Security Bulletin: Venom vulnerability affects IBM PureApplication System (CVE-2015-3456)". 27 May 2015. https://www.ibm.com/support/pages/security-bulletin-venom-vulnerability-affects-ibm-pureapplication-system-cve-2015-3456. 




Retrieved from "https://handwiki.org/wiki/index.php?title=VENOM&oldid=4230358"