VENOM vulnerability impact

Back to the overview
VENOM vulnerability impact
4 minute read

We’ve received a lot of inquiries in the past 24 hours about the impact of the so-called venom vulnerability (also known as CVE-2015-3456) on the Tilaa platform, where a vulnerability in the FDC (floppy drive controller) could allow a privileged guest user to break out of the virtual machine and do stuff on the hypervisor host with the privileges of the user running the KVM process, such as reading memory of other virtual machines.

At first glance the Tilaa platform does not seem to be affected by this vulnerability, since we don’t provision a virtual floppy drive in a Tilaa VPS and have never done so in the past. What we’re currently uncertain about is if there is a related code-path in the qemu-kvm process which can be executed by a guest user, even if no FDC device is actually present. That’s probably unlikely, but we will need to be sure due to the possible impact.

Finally I would like to say that this is a serious vulnerability and it deserves to have serious attention, but it’s a shame these kind of vulnerabilities only get their well deserved attention if they have a (arguably) cool name, logo and a website.

In any case, we are always on top of security errata’s provided by our Linux distribution vendor as well as important upstream projects (such as qemu-kvm) and we patch security issues all the time, even if nobody talks about them.

Update 2015-05-15: 

It seems we underestimated the impact of this issue and we are unfortunately vulnerable despite the fact that we don’t provision a virtual floppy drive. No (public) exploit currently seems to exist at this time, but this could of course change any minute. 

We are currently building a new qemu-kvm package for our platform and will deploy it after it passes our QA and testing procedures. Once we did that we will inform our customers and ask them to reboot their servers as soon as possible. Servers that not have been rebooted manually will be forcibly rebooted after a certain (as of yet undecided) grace period.

Update 2015-05-19:

All virtual machines have been restarted. We are no longer vulnerable.

Share this article
Back to the overview
More like this