The Channel logo


By | Darren Pauli 19th May 2015 02:58

Oracle releases antidote for VENOM vulnerability

Patch but don't panic

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts.

The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem.

Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulation) (CVE-2015-3456) and notified the Oracle, QEMU, and Xen mailing lists.

"The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualisation platforms and is used in some Oracle products," the company says in a patch advisory.

"The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC.

"The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system."

The vulnerability can only be remotely exploited if attackers are logged into a box but Oracle still considers it severe enough to "strongly recommend" customers apply the patches and reboot as soon as possible.

That limitation prevented mass exploitation.

Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28; Oracle VM 2.2, 3.2, and 3.3, and Oracle Linux 5, 6, and 7.

Further diluting the potency of VENOM is the immunity of AWS Xen instances.

Trustwave threat intelligence manager Karl Sigler says the bug is similar to a privilege escalation bug in that it requires is predicated on existing access to virtual machines.

"Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack," Sigler told El Reg.

"I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting machine." ®

comment icon Read 1 comment on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe