The Channel logo


By | Darren Pauli 19th May 2015 02:58

Oracle releases antidote for VENOM vulnerability

Patch but don't panic

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts.

The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem.

Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulation) (CVE-2015-3456) and notified the Oracle, QEMU, and Xen mailing lists.

"The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualisation platforms and is used in some Oracle products," the company says in a patch advisory.

"The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC.

"The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system."

The vulnerability can only be remotely exploited if attackers are logged into a box but Oracle still considers it severe enough to "strongly recommend" customers apply the patches and reboot as soon as possible.

That limitation prevented mass exploitation.

Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28; Oracle VM 2.2, 3.2, and 3.3, and Oracle Linux 5, 6, and 7.

Further diluting the potency of VENOM is the immunity of AWS Xen instances.

Trustwave threat intelligence manager Karl Sigler says the bug is similar to a privilege escalation bug in that it requires is predicated on existing access to virtual machines.

"Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack," Sigler told El Reg.

"I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting machine." ®

comment icon Read 1 comment on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'