Vulnerabilities > CVE-2015-3456 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | VENOM, Xen 4.5.x, QEMU. CVE-2015-3456. Dos exploits for multiple platform |
| file | exploits/multiple/dos/37053.c |
| id | EDB-ID:37053 |
| last seen | 2016-02-04 |
| modified | 2015-05-18 |
| platform | multiple |
| port | |
| published | 2015-05-18 |
| reporter | Marcus Meissner |
| source | https://www.exploit-db.com/download/37053/ |
| title | QEMU - Floppy Disk Controller FDC PoC |
| type | dos |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-8248.NASL description - CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-26 plugin id 83791 published 2015-05-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83791 title Fedora 20 : qemu-1.6.2-14.fc20 (2015-8248) (Venom) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-8248. # include("compat.inc"); if (description) { script_id(83791); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3456"); script_xref(name:"FEDORA", value:"2015-8248"); script_name(english:"Fedora 20 : qemu-1.6.2-14.fc20 (2015-8248) (Venom)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1218611" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/158348.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ae71940d" ); script_set_attribute(attribute:"solution", value:"Update the affected qemu package."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/15"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"qemu-1.6.2-14.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu"); }NASL family Fedora Local Security Checks NASL id FEDORA_2015-8194.NASL description Privilege escalation via emulated floppy disk drive [XSA-133, CVE-2015-3456] (#1221153) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-27 plugin id 83828 published 2015-05-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83828 title Fedora 22 : xen-4.5.0-9.fc22 (2015-8194) (Venom) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-8194. # include("compat.inc"); if (description) { script_id(83828); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3456"); script_xref(name:"FEDORA", value:"2015-8194"); script_name(english:"Fedora 22 : xen-4.5.0-9.fc22 (2015-8194) (Venom)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Privilege escalation via emulated floppy disk drive [XSA-133, CVE-2015-3456] (#1221153) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1218611" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-May/158648.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1d82eb7a" ); script_set_attribute(attribute:"solution", value:"Update the affected xen package."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/14"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"xen-4.5.0-9.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen"); }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0059.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - force the fifo access to be in bounds of the allocated buffer This is XSA-133. [bug 21078975] (CVE-2015-3456) last seen 2020-06-01 modified 2020-06-02 plugin id 83484 published 2015-05-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83484 title OracleVM 2.2 : xen (OVMSA-2015-0059) (Venom) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-363.NASL description qemu was updated to fix a security issue : - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. last seen 2020-06-05 modified 2015-05-19 plugin id 83533 published 2015-05-19 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83533 title openSUSE Security Update : qemu (openSUSE-2015-363) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0943-1.NASL description KVM was updated to fix the following issues : CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. Validate VMDK4 version field so we don last seen 2020-06-01 modified 2020-06-02 plugin id 83858 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83858 title SUSE SLES11 Security Update : KVM (SUSE-SU-2015:0943-1) (Venom) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8249.NASL description - CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-18 plugin id 83506 published 2015-05-18 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83506 title Fedora 21 : qemu-2.1.3-7.fc21 (2015-8249) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0923-1.NASL description XEN was updated to fix two security issues and bugs. Security issues fixed : - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. - CVE-2015-2751: Xen, when using toolstack disaggregation, allowed remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. - CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall in Xen, when using a PCI passthrough device, was not preemptable, which allowed local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. Bugs fixed : - xentop: Fix memory leak on read failure Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83757 published 2015-05-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83757 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0923-1) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0927-1.NASL description Xen was updated to fix two security issues and a bug : CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. An exception in setCPUAffinity when restoring guests. (bsc#910441) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83853 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83853 title SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:0927-1) (Venom) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-550.NASL description - Version bump to 4.2.32 bnc#938408 CVE-2015-2594 - Storage: fixed a crash when taking snapshots (4.2.30 regression) - ExtPack: don last seen 2020-06-05 modified 2015-08-19 plugin id 85525 published 2015-08-19 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85525 title openSUSE Security Update : virtualbox (openSUSE-2015-550) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1001.NASL description Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Virtualization 3.5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83428 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83428 title RHEL 6 : qemu-kvm-rhev (RHSA-2015:1001) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1000.NASL description Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Virtualization Hypervisor 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83427 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83427 title RHEL 7 : qemu-kvm-rhev (RHSA-2015:1000) (Venom) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1003.NASL description Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83421 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83421 title CentOS 5 : kvm (CESA-2015:1003) (Venom) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2780E442FC5911E4B18B6805CA1D3BB1.NASL description Jason Geffner, CrowdStrike Senior Security Researcher reports : VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host last seen 2020-06-01 modified 2020-06-02 plugin id 83510 published 2015-05-18 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83510 title FreeBSD : qemu, xen and VirtualBox OSE -- possible VM escape and code execution ('VENOM NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0068.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 84140 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84140 title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2608-1.NASL description Jason Geffner discovered that QEMU incorrectly handled the virtual floppy driver. This issue is known as VENOM. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3456) Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets. A remote attacker could use this issue to cause QEMU to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779) Jan Beulich discovered that QEMU, when used with Xen, didn last seen 2020-06-01 modified 2020-06-02 plugin id 83435 published 2015-05-13 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83435 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2608-1) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-249.NASL description A vulnerability was discovered in the qemu virtualisation solution : CVE-2015-3456 Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code. Despite the end-of-life of qemu-kvm support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-5+squeeze11 of the qemu-kvm source package due to its severity (the so-called VENOM vulnerability). Further problems may still be present in the qemu-kvm package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu-kvm are encouraged to upgrade to a newer version of Debian. We recommend that you upgrade your qemu-kvm packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-06-22 plugin id 84295 published 2015-06-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84295 title Debian DLA-249-1 : qemu-kvm security update (Venom) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL16620.NASL description An out-of-bounds memory access flaw, also known as last seen 2020-06-01 modified 2020-06-02 plugin id 83749 published 2015-05-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83749 title F5 Networks BIG-IP : QEMU vulnerability (SOL16620) (Venom) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-0998.NASL description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83418 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83418 title CentOS 6 : qemu-kvm (CESA-2015:0998) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0998.NASL description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83425 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83425 title RHEL 6 : qemu-kvm (RHSA-2015:0998) (Venom) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-434.NASL description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn last seen 2020-06-05 modified 2015-06-23 plugin id 84333 published 2015-06-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84333 title openSUSE Security Update : xen (openSUSE-2015-434) (Venom) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-0999.NASL description From Red Hat Security Advisory 2015:0999 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83445 published 2015-05-14 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83445 title Oracle Linux 7 : qemu-kvm (ELSA-2015-0999) (Venom) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1003.NASL description From Red Hat Security Advisory 2015:1003 : Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83447 published 2015-05-14 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83447 title Oracle Linux 5 : kvm (ELSA-2015-1003) (Venom) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-391.NASL description The XEN hypervisor was updated to fix two security issues : - Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. (CVE-2015-3456) - Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. (CVE-2015-3340) last seen 2020-06-05 modified 2015-06-03 plugin id 83965 published 2015-06-03 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83965 title openSUSE Security Update : xen (openSUSE-2015-391) (Venom) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-364.NASL description Qemu was updated to v2.1.3: See http://wiki.qemu-project.org/ChangeLog/2.1 for more information. This update includes a security fix : - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. last seen 2020-06-05 modified 2015-05-19 plugin id 83534 published 2015-05-19 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83534 title openSUSE Security Update : qemu (openSUSE-2015-364) (Venom) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8270.NASL description Privilege escalation via emulated floppy disk drive [XSA-133, CVE-2015-3456] (#1221153) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-27 plugin id 83834 published 2015-05-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83834 title Fedora 21 : xen-4.4.2-4.fc21 (2015-8270) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0889-2.NASL description Xen was updated to fix a buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. (CVE-2015-3456) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83852 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83852 title SUSE SLES10 Security Update : Xen (SUSE-SU-2015:0889-2) (Venom) NASL family Windows NASL id VIRTUALBOX_4_3_28.NASL description The remote host contains a version of Oracle VM VirtualBox that is prior to 3.2.28 / 4.0.30 / 4.1.38 / 4.2.30 / 4.3.28. It is, therefore affected by a flaw in the Floppy Disk Controller (FDC) in the bundled QEMU software due to an overflow condition in last seen 2020-06-01 modified 2020-06-02 plugin id 83729 published 2015-05-20 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83729 title Oracle VM VirtualBox < 3.2.28 / 4.0.30 / 4.1.38 / 4.2.30 / 4.3.28 QEMU FDC Overflow RCE (VENOM) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201602-01.NASL description The remote host is affected by the vulnerability described in GLSA-201602-01 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 88587 published 2016-02-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88587 title GLSA-201602-01 : QEMU: Multiple vulnerabilities (Venom) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-27.NASL description The remote host is affected by the vulnerability described in GLSA-201612-27 (VirtualBox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. Impact : Local attackers could cause a Denial of Service condition, execute arbitrary code, or escalate their privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95695 published 2016-12-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95695 title GLSA-201612-27 : VirtualBox: Multiple vulnerabilities (Venom) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0057.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. XSA-133 (CVE-2015-3456) - fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. XSA-133 (CVE-2015-3456) - domctl: don last seen 2020-06-01 modified 2020-06-02 plugin id 83482 published 2015-05-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83482 title OracleVM 3.3 : xen (OVMSA-2015-0057) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0929-1.NASL description KVM was updated to fix the following security issues : CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83854 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83854 title SUSE SLES11 Security Update : KVM (SUSE-SU-2015:0929-1) (Venom) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201604-03.NASL description The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 90380 published 2016-04-07 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90380 title GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1011.NASL description Updated rhev-hypervisor packages that fix one security issue are now available. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rhev-hypervisor packages provide a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83536 published 2015-05-19 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83536 title RHEL 7 : rhev-hypervisor (RHSA-2015:1011) (Venom) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-0998.NASL description From Red Hat Security Advisory 2015:0998 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83444 published 2015-05-14 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83444 title Oracle Linux 6 : qemu-kvm (ELSA-2015-0998) (Venom) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1002.NASL description Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83420 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83420 title CentOS 5 : xen (CESA-2015:1002) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-150513.NASL description KVM was updated to fix a buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. (CVE-2015-3456) last seen 2020-06-01 modified 2020-06-02 plugin id 83515 published 2015-05-18 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83515 title SuSE 11.3 Security Update : KVM (SAT Patch Number 10672) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1031.NASL description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83844 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83844 title RHEL 6 : qemu-kvm (RHSA-2015:1031) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3274.NASL description Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in potential privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 83889 published 2015-05-29 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83889 title Debian DSA-3274-1 : virtualbox - security update (Venom) NASL family Scientific Linux Local Security Checks NASL id SL_20150513_QEMU_KVM_ON_SL6_X.NASL description An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-03-18 modified 2015-05-14 plugin id 83458 published 2015-05-14 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83458 title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20150513) (Venom) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-0999.NASL description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83419 published 2015-05-13 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83419 title CentOS 7 : qemu-kvm (CESA-2015:0999) (Venom) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8220.NASL description - CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-27 plugin id 83829 published 2015-05-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83829 title Fedora 22 : qemu-2.3.0-4.fc22 (2015-8220) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1002.NASL description Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83429 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83429 title RHEL 5 : xen (RHSA-2015:1002) (Venom) NASL family Misc. NASL id CITRIX_XENSERVER_CTX201078.NASL description The remote host is running a version of Citrix XenServer that is affected by a flaw in the Floppy Disk Controller (FDC) in the bundled QEMU software due to an overflow condition in hw/block/fdc.c when handling certain commands. An attacker, with access to an account on the guest operating system with privilege to access the FDC, can exploit this flaw to execute arbitrary code in the context of the hypervisor process on the host system. last seen 2020-06-01 modified 2020-06-02 plugin id 83763 published 2015-05-21 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83763 title Citrix XenServer QEMU FDC Buffer Overflow RCE (CTX201078) (VENOM) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1003.NASL description Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83430 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83430 title RHEL 5 : kvm (RHSA-2015:1003) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-248.NASL description A vulnerability was discovered in the qemu virtualisation solution : CVE-2015-3456 Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code. Despite the end-of-life of qemu support in the old-oldstable distribution (squeeze-lts), this problem has been fixed in version 0.12.5+dfsg-3squeeze4 of the qemu source package due to its severity (the so-called VENOM vulnerability). Further problems may still be present in the qemu package in the old-oldstable distribution (squeeze-lts) and users who need to rely on qemu are encouraged to upgrade to a newer version of Debian. We recommend that you upgrade your qemu packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-06-22 plugin id 84294 published 2015-06-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84294 title Debian DLA-248-1 : qemu security update (Venom) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1002.NASL description From Red Hat Security Advisory 2015:1002 : Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83446 published 2015-05-14 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83446 title Oracle Linux 5 : xen (ELSA-2015-1002) (Venom) NASL family Fedora Local Security Checks NASL id FEDORA_2015-8252.NASL description Privilege escalation via emulated floppy disk drive [XSA-133, CVE-2015-3456] (#1221153) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-27 plugin id 83832 published 2015-05-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83832 title Fedora 20 : xen-4.3.4-4.fc20 (2015-8252) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0999.NASL description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 83426 published 2015-05-13 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83426 title RHEL 7 : qemu-kvm (RHSA-2015:0999) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3259.NASL description Several vulnerabilities were discovered in the qemu virtualisation solution : - CVE-2014-9718 It was discovered that the IDE controller emulation is susceptible to denial of service. - CVE-2015-1779 Daniel P. Berrange discovered a denial of service vulnerability in the VNC web socket decoder. - CVE-2015-2756 Jan Beulich discovered that unmediated PCI command register could result in denial of service. - CVE-2015-3456 Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 83422 published 2015-05-13 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83422 title Debian DSA-3259-1 : qemu - security update (Venom) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0058.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - force the fifo access to be in bounds of the allocated buffer This is CVE-2015-3456. [bug 21078935] (CVE-2015-3456) - xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Conflicts: tools/ioemu-remote/hw/pass-through.c (CVE-2015-2756) - Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) Said hypercall for large BARs can take quite a while. As such we can require that the hypercall MUST break up the request in smaller values. Another approach is to add preemption to it - whether we do the preemption using hypercall_create_continuation or returning EAGAIN to userspace (and have it re-invocate the call) - either way the issue we cannot easily solve is that in last seen 2020-06-01 modified 2020-06-02 plugin id 83483 published 2015-05-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83483 title OracleVM 3.2 : xen (OVMSA-2015-0058) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0940-1.NASL description Xen was updated to fix two security issues : CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2015-3340: An information leak through XEN_DOMCTL_gettscinfo(). (XSA-132) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83856 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83856 title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0940-1) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-268.NASL description Three vulnerabilities have been fixed in the Debian squeeze-lts version of VirtualBox (package name: virtualbox-ose), a x86 virtualisation solution. CVE-2015-0377 Avoid VirtualBox allowing local users to affect availability via unknown vectors related to Core, which might result in denial of service. (Other issue than CVE-2015-0418). CVE-2015-0418 Avoid VirtualBox allowing local users to affect availability via unknown vectors related to Core, which might result in denial of service. (Other issue than CVE-2015-0377). CVE-2015-3456 The Floppy Disk Controller (FDC) in QEMU, also used in VirtualBox and other virtualization products, allowed local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-07-07 plugin id 84551 published 2015-07-07 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84551 title Debian DLA-268-1 : virtualbox-ose security update (Venom) NASL family Scientific Linux Local Security Checks NASL id SL_20150513_KVM_ON_SL5_X.NASL description An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-03-18 modified 2015-05-14 plugin id 83457 published 2015-05-14 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83457 title Scientific Linux Security Update : kvm on SL5.x x86_64 (20150513) (Venom) NASL family Scientific Linux Local Security Checks NASL id SL_20150513_QEMU_KVM_ON_SL7_X.NASL description An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-03-18 modified 2015-05-14 plugin id 83459 published 2015-05-14 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83459 title Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20150513) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3262.NASL description Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code. This only affects HVM guests. last seen 2020-06-01 modified 2020-06-02 plugin id 83532 published 2015-05-19 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83532 title Debian DSA-3262-1 : xen - security update (Venom) NASL family Scientific Linux Local Security Checks NASL id SL_20150513_XEN_ON_SL5_X.NASL description An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-03-18 modified 2015-05-14 plugin id 83460 published 2015-05-14 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83460 title Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20150513) (Venom) NASL family Firewalls NASL id CHECK_POINT_GAIA_SK106060.NASL description The remote host is running a version of Gaia OS which is affected by a vulnerability in the virtual floppy drive code which may allow an attacker to escape a virtualized environment and obtain code execution on the underlying host. last seen 2020-06-01 modified 2020-06-02 plugin id 104999 published 2017-12-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104999 title Check Point Gaia Operating System VM escape and code execution (sk106060)(VENOM) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0944-1.NASL description Xen was updated to fix two security issues and a bug : CVE-2015-3456: A buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. An exception in setCPUAffinity when restoring guests. (bsc#910441) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83859 published 2015-05-27 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83859 title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:0944-1) (Venom)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
The Hacker News
| id | THN:7BD85D2AA21CA4E7244B437A1836EBFC |
| last seen | 2018-01-27 |
| modified | 2015-05-14 |
| published | 2015-05-14 |
| reporter | Swati Khandelwal |
| source | https://thehackernews.com/2015/05/venom-vulnerability.html |
| title | Venom Vulnerability Exposes Most Data Centers to Cyber Attacks |
References
- http://rhn.redhat.com/errata/RHSA-2015-1002.html
- http://rhn.redhat.com/errata/RHSA-2015-1000.html
- http://rhn.redhat.com/errata/RHSA-2015-0999.html
- http://rhn.redhat.com/errata/RHSA-2015-0998.html
- http://xenbits.xen.org/xsa/advisory-133.html
- http://rhn.redhat.com/errata/RHSA-2015-1001.html
- https://access.redhat.com/articles/1444903
- http://rhn.redhat.com/errata/RHSA-2015-1003.html
- https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
- http://venom.crowdstrike.com/
- http://rhn.redhat.com/errata/RHSA-2015-1004.html
- https://www.suse.com/security/cve/CVE-2015-3456.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00021.html
- http://www.debian.org/security/2015/dsa-3274
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00019.html
- http://marc.info/?l=bugtraq&m=143229451215900&w=2
- http://www.securityfocus.com/bid/74640
- https://kc.mcafee.com/corporate/index?page=content&id=SB10118
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158072.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.debian.org/security/2015/dsa-3259
- http://www.ubuntu.com/usn/USN-2608-1
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00042.html
- https://support.lenovo.com/us/en/product_security/venom
- http://marc.info/?l=bugtraq&m=143387998230996&w=2
- http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-438937.htm
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10693
- https://bto.bluecoat.com/security-advisory/sa95
- http://www.fortiguard.com/advisory/2015-05-19-cve-2015-3456-venom-vulnerability
- http://support.citrix.com/article/CTX201078
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00021.html
- https://www.exploit-db.com/exploits/37053/
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00001.html
- http://www.securitytracker.com/id/1032311
- http://www.securitytracker.com/id/1032306
- http://www.debian.org/security/2015/dsa-3262
- http://rhn.redhat.com/errata/RHSA-2015-1011.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00009.html
- https://kb.juniper.net/JSA10783
- https://security.gentoo.org/glsa/201612-27
- https://security.gentoo.org/glsa/201604-03
- https://security.gentoo.org/glsa/201602-01
- http://www.securitytracker.com/id/1032917
- https://www.arista.com/en/support/advisories-notices/security-advisories/1128-security-advisory-10
- http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=e907746266721f305d67bc0718795fedee2e824c