VENOM Vulnerability - All VM are in Risk? (CVE-2015-3456)

VENOM (CVE-2015-3456)

is (Virtualized Eniroment Negleted Operations Manipulation), lo que

viene a decir, que se ha descubierto una vulnerabilidad que permite

acceder por completo al entorno de ejecución del hipervisor desde una

máquina virtual cualquiera, lo que significa acceder por completo al

entorno de ejecución del resto de máquina virtuales que tiene el Host en

ejecución.

 Xen Security Advisory CVE-2015-3456 / XSA-133



version 2



Privilege escalation via emulated floppy disk drive

A continuación un ejemplo gráfico que ilustrará en que consiste la

vulnerabilidad, y ayudará para evaluar el nivel de riesgo que tiene tu

organización, si estas afectado por VENOM:

Crowdstrike - VENOM vulnerability

This vulnerability may allow an attacker to escape from the confines

of an affected virtual machine (VM) guest and potentially obtain

code-execution access to the host.*

Pero **¿Qué sistema de virtualización se

encuentra afectado por dicha vulnerabilidad?**

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>The

bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable

FDC code is used in numerous virtualization platforms and appliances,

notably Xen, KVM, and the native QEMU client.

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

Sabemos **por tanto que no todas VM se

encuentran en riesgo,** sino aquellas que están “running” en

sistema virtuales basado en XEN, KVM y QEMU.

Las máquinas virtuales sobre VMware, Microsoft Hyper-V y <span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“> <span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>Bochs<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“> 

no se encuentran afectadas por esta vulnerabilidad.

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>UPDATE:

Si trabajas con KVM, QEMU y XEN Hypervisor, consulta las novedades en

parches y actualizaciones de seguridad, aquí os dejo una muestra:

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

CrowdStrike is aware of the following vendor patches, advisories, and

notifications.

• QEMU: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c](http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c)

• Xen Project: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>http://xenbits.xen.org/xsa/advisory-133.html](http://xenbits.xen.org/xsa/advisory-133.html)

• Red Hat: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://access.redhat.com/articles/1444903](https://access.redhat.com/articles/1444903)

• Citrix: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>http://support.citrix.com/article/CTX201078](http://support.citrix.com/article/CTX201078)

• FireEye: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf](https://www.fireeye.com/content/dam/fireeye-www/support/pdfs/fireeye-venom-vulnerability.pdf)

• Linode: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/](https://blog.linode.com/2015/05/13/venom-cve-2015-3456-vulnerability-and-linode/)

• Rackspace: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://community.rackspace.com/general/f/53/t/5187](https://community.rackspace.com/general/f/53/t/5187)

• Ubuntu: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>http://www.ubuntu.com/usn/usn-2608-1/](http://www.ubuntu.com/usn/usn-2608-1/)

• Debian: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://security-tracker.debian.org/tracker/CVE-2015-3456](https://security-tracker.debian.org/tracker/CVE-2015-3456)

• Suse: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://www.suse.com/support/kb/doc.php?id=7016497](https://www.suse.com/support/kb/doc.php?id=7016497)

• DigitalOcean: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/](https://www.digitalocean.com/company/blog/update-on-CVE-2015-3456/)

• f5: [<span

  style=“border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-style: inherit; font-weight: inherit; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;“>https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html](https://support.f5.com/kb/en-us/solutions/public/16000/600/sol16620.html)

We recommend you reach out to your vendors directly to get the latest

security updates.

¿Qué pasa con QubesOS?

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

Hasta que no salga la versión 3.0 ésta se encuentra desarrollada sobre

un hypervisor XEN, por lo que consulta la [página

oficial](https://www.qubes-os.org/community/) para conocer si esta

disponible el parche.

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>Referencia: <span

style=“color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif;“><span

style=“font-size: 14px; line-height: 18px;“>http://venom.crowdstrike.com/

| http://xenbits.xen.org/xsa/advisory-133.html

<span

style=“color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif;“><span

style=“font-size: 14px; line-height: 18px;“>#ST2Labs -

www.st2labs.com

<span

style=“background-color: rgba(0, 0, 0, 0.0392157); color: #494949; font-family: karlaregular, Helvetica, Arial, sans-serif; font-size: 14px; line-height: 18px;“>

Ver también

• Gordon - Cyber reputation checks
• Migration
• Guia rápida para realizar un Pentesting
• [cymon-analyzer] | Modulo de Análisis Reputación IP en Cymon.io para Cortex Engine | theHive-project
• [SIPI] Simple IP Information Tool is out