The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "EGI CSIRT:Alerts/VENOM-2015-05-13"
Jump to navigation
Jump to search
(Created page with "{{New-Egi-csirt-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI S...") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
<pre> | <pre> | ||
** WHITE information - Unlimited distribution allowed ** | ** WHITE information - Unlimited distribution allowed ** | ||
| Line 10: | Line 9: | ||
EGI SVG ADVISORY [EGI-SVG-CSIRT-2015-05-13] | EGI SVG ADVISORY [EGI-SVG-CSIRT-2015-05-13] | ||
Title: EGI SVG and CSIRT Advisory | Title: EGI SVG and CSIRT Advisory "Critical/Low". "VENOM: QEMU vulnerability (CVE-2015-3456)" | ||
"VENOM: QEMU vulnerability (CVE-2015-3456)" | |||
Date: 2015-05-13 | Date: 2015-05-13 | ||
Updated: | Updated: 2015-05-15 | ||
| Line 23: | Line 21: | ||
============ | ============ | ||
A serious vulnerability has been found | |||
scenario | |||
A serious vulnerability has been found in virtualization software, granting, in the | |||
worst case scenario, arbitrary code execution on the host to privileged guest users. | |||
This may allow an attacker to gain privileged access to other guests on the same | |||
host. | |||
All x86 and x86-64 based HVM Xen and QEMU/KVM guests are affected. | All x86 and x86-64 based HVM Xen and QEMU/KVM guests are affected. | ||
Patches are available for | Patches are available for most software see [R3-R7], [R 9] | ||
| Line 36: | Line 38: | ||
======= | ======= | ||
For a description of this vulnerability see [R 1] | For a description of this vulnerability see [R 1],[R 8] and [R 13] | ||
A description by RedHat is in [R 2] | A description by RedHat is in [R 2] | ||
A Proof of Concept exploit (self DOS) is now available [R 11]. | |||
There is no indication of a public exploit granting arbitrary code execution on the | |||
host yet, but such exploits are expected. | |||
Risk category | Risk category | ||
============= | ============= | ||
Depending on the virtualization configuration and usage, this vulnerability can be | |||
rated between 'Critical' and 'Low'. | |||
Site falling in ANY of the following categories MUST consider this vulnerability as | |||
'Critical': | |||
- EGI Federated Cloud provider | |||
- VOs/users allowed to instantiate/run their own VMs | |||
- Privileged access given to VOs/users on VMs | |||
- Cloud services offered to different parties on shared hypervisors | |||
However, we recommend any site using virtualization technology to fix this | |||
vulnerability as soon as possible: the situation may evolve. | |||
Affected software | Affected software | ||
| Line 56: | Line 76: | ||
----------- | ----------- | ||
This has been fixed for various versions | This has been fixed for various versions. See [R 3] | ||
For Debian | For Debian | ||
----------- | ----------- | ||
This is now fixed for Debian | |||
See [R 4], [R 7] | See [R 4], [R 7] | ||
| Line 68: | Line 90: | ||
----------- | ----------- | ||
This is now fixed for Ubuntu. See [R 5], [R 9] | |||
| Line 77: | Line 99: | ||
Virtual Box | |||
----------- | |||
This appears to be partially affected [R 12] | |||
| Line 82: | Line 109: | ||
========== | ========== | ||
SELinux and in particular sVirt, if properly configured and used, can protect | |||
escalations on the host, see [R 14]. | |||
| Line 90: | Line 118: | ||
See software providers information. | See software providers information. | ||
Note, as the qemu processes need to be renewed, every running VM need to be stopped | |||
and restarted. Simple reboot from within the VM do not fix the problem. | |||
| Line 96: | Line 127: | ||
=============== | =============== | ||
Sites are recommended to update relevant components, and follow the instructions provided by the software vendors to mitigate the risk. | EGI Federated Cloud Sites are strongly recommended to update relevant components, | ||
and follow the instructions provided by the software vendors to mitigate the risk as | |||
soon as possible. | |||
| Line 102: | Line 135: | ||
====== | ====== | ||
This vulnerability was discovered by Jason Geffner CrowdStrike Senior Security Researcher and SVG alerted by Sven Gabriel the EGI Security officer [R 1] | This vulnerability was discovered by Jason Geffner CrowdStrike Senior Security | ||
Researcher and SVG alerted by Sven Gabriel the EGI Security officer [R 1] | |||
| Line 123: | Line 157: | ||
https://lists.debian.org/debian-security-announce/2015/msg00148.html | https://lists.debian.org/debian-security-announce/2015/msg00148.html | ||
[R 8] http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine- | |||
bug-threatens-cloud-providers-everywhere/ | |||
[R 9] http://www.ubuntu.com/usn/usn-2608-1/ | |||
[R 10] http://blog.erratasec.com/2015/05/some-technical-notes-on- | |||
venom.html#.VVRYlPNwbq4 | |||
[R 11] http://www.openwall.com/lists/oss-security/2015/05/13/29 | |||
[R 12] https://news.ycombinator.com/item?id=9541982 | |||
[R 13] http://openwall.com/lists/oss-security/2015/05/14/12 | |||
[R 14] http://maciej.lasyk.info/2015/May/13/selinux-svirt-vs-venom-vulnerability/ | |||
Comments | Comments | ||
| Line 130: | Line 180: | ||
Comments or questions should be sent to svg-rat@mailman.egi.eu | Comments or questions should be sent to svg-rat@mailman.egi.eu | ||
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. | We are currently revising the vulnerability issue handling procedure so suggestions | ||
and comments are welcome. | |||
| Line 139: | Line 190: | ||
2015-05-13 SVG alerted to this issue by Sven Gabriel the EGI Security officer | 2015-05-13 SVG alerted to this issue by Sven Gabriel the EGI Security officer | ||
2015-05-13 Advisory/alert drafted and sent to sites | 2015-05-13 Advisory/alert drafted and sent to sites | ||
2015-05-15 Advisory/alert updated. | |||
</pre> | </pre> | ||
Latest revision as of 15:06, 15 May 2015
| EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-CSIRT-2015-05-13] Title: EGI SVG and CSIRT Advisory "Critical/Low". "VENOM: QEMU vulnerability (CVE-2015-3456)" Date: 2015-05-13 Updated: 2015-05-15 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/VENOM-2015-05-13 Introduction ============ A serious vulnerability has been found in virtualization software, granting, in the worst case scenario, arbitrary code execution on the host to privileged guest users. This may allow an attacker to gain privileged access to other guests on the same host. All x86 and x86-64 based HVM Xen and QEMU/KVM guests are affected. Patches are available for most software see [R3-R7], [R 9] Details ======= For a description of this vulnerability see [R 1],[R 8] and [R 13] A description by RedHat is in [R 2] A Proof of Concept exploit (self DOS) is now available [R 11]. There is no indication of a public exploit granting arbitrary code execution on the host yet, but such exploits are expected. Risk category ============= Depending on the virtualization configuration and usage, this vulnerability can be rated between 'Critical' and 'Low'. Site falling in ANY of the following categories MUST consider this vulnerability as 'Critical': - EGI Federated Cloud provider - VOs/users allowed to instantiate/run their own VMs - Privileged access given to VOs/users on VMs - Cloud services offered to different parties on shared hypervisors However, we recommend any site using virtualization technology to fix this vulnerability as soon as possible: the situation may evolve. Affected software ================= For Red Hat ----------- This has been fixed for various versions. See [R 3] For Debian ----------- This is now fixed for Debian See [R 4], [R 7] For Ubuntu ----------- This is now fixed for Ubuntu. See [R 5], [R 9] Xen ---- See [R 6] Virtual Box ----------- This appears to be partially affected [R 12] Mitigation ========== SELinux and in particular sVirt, if properly configured and used, can protect escalations on the host, see [R 14]. Component installation information ================================== See software providers information. Note, as the qemu processes need to be renewed, every running VM need to be stopped and restarted. Simple reboot from within the VM do not fix the problem. Recommendations =============== EGI Federated Cloud Sites are strongly recommended to update relevant components, and follow the instructions provided by the software vendors to mitigate the risk as soon as possible. Credit ====== This vulnerability was discovered by Jason Geffner CrowdStrike Senior Security Researcher and SVG alerted by Sven Gabriel the EGI Security officer [R 1] References ========== [R 1] http://venom.crowdstrike.com/ [R 2] https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/ [R 3] https://access.redhat.com/articles/1444903 [R 4] https://security-tracker.debian.org/tracker/CVE-2015-3456 [R 5] https://bugs.launchpad.net/bugs/cve/2015-3456 [R 6] Xen info http://seclists.org/oss-sec/2015/q2/421 [R 7] Debian https://lists.debian.org/debian-security-announce/2015/msg00148.html [R 8] http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine- bug-threatens-cloud-providers-everywhere/ [R 9] http://www.ubuntu.com/usn/usn-2608-1/ [R 10] http://blog.erratasec.com/2015/05/some-technical-notes-on- venom.html#.VVRYlPNwbq4 [R 11] http://www.openwall.com/lists/oss-security/2015/05/13/29 [R 12] https://news.ycombinator.com/item?id=9541982 [R 13] http://openwall.com/lists/oss-security/2015/05/14/12 [R 14] http://maciej.lasyk.info/2015/May/13/selinux-svirt-vs-venom-vulnerability/ Comments ======== Comments or questions should be sent to svg-rat@mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-05-13 SVG alerted to this issue by Sven Gabriel the EGI Security officer 2015-05-13 Advisory/alert drafted and sent to sites 2015-05-15 Advisory/alert updated.