ADVISORY: VENOM vulnerability affects virtual machine environments using QEMU

Friday, May 15, 2015

his information was sent to U-M IT staff groups via email on May 15, 2015.

This message is intended for U-M IT staff who are responsible for maintaining and running university virtual machines.

Summary: 

The Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability, which affects some software used for virtual machines, could allow an attacker who has privileged access to a single virtual machine to gain unauthorized access to all virtual machines on that host, as well as the host system itself. There are no reported exploits occurring at this time. Some patches are available now, while others are still being prepared and tested by vendors. Those who maintain affected virtual machines should apply the patches as soon as possible after appropriate testing.

Affected Systems: 

VENOM affects the open-source virtualization package QEMU. It affects QEMU's Virtual Floppy Disk Controller (FDC), which is used in many virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client.

Action Items: 

If you are responsible for virtual machines using the affected software, apply the patches as soon as possible after appropriate testing. Check your software vendor's website for patches. CrowdStrike has provided a list of links to vendor patches and more at venom.crowdstrike.com.

Threats: 

The VENOM vulnerability could allow someone with root access on a virtual machine to reach out of that machine, execute code on the host machine, and access all the virtual machines on that host (that is, access all the virtual machines that share the same hypervisor).

Technical Details: 

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a disruption of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Information for Users: 

Users do not need to do anything in response to VENOM, because it only affects virtual machines. University IT staff and cloud vendors are responsible for patching machines vulnerable to VENOM.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Don

Donald J. Welch, Ph.D., 
Chief Information Security Officer, 
University of Michigan