查看: 10816|回复: 11
收起左侧

[其他相关] 虚拟机漏洞VENOM存在11年,影响平台众多

[复制链接]
旷月108
发表于 2015-5-17 15:22:29 | 显示全部楼层 |阅读模式
研究人员将这个漏洞称为“毒液”(VENOM,虚拟环境忽略运行处理),因为它利用了被长时间忽略的代码,虚拟软盘控制器。发现这个漏洞的杰森·盖夫纳表示,受影响的平台包括Xen、KVM、Oracle VM VirtualBoxQEMU客户端。


传送门——>特快专列
旷月108
 楼主| 发表于 2015-5-17 19:22:52 | 显示全部楼层
原文如下:

Vendor advisories, patches, and notifications available below in Q&A section.


VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.


Exploitation of the VENOM vulnerability can expose access to corporate intellectual property (IP), in addition to sensitive and personally identifiable information (PII), potentially impacting the thousands of organizations and millions of end users that rely on affected VMs for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy.

For more information, read Dmitri Alperovitch’s blog post, Community Patching & Mitigation Update.

Q+A: Learn More About VENOM

What products are affected?
The bug is in QEMU’s virtual Floppy Disk Controller (FDC). This vulnerable FDC code is used in numerous virtualization platforms and appliances, notably Xen, KVM, and the native QEMU client.

VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).

Though the VENOM vulnerability is also agnostic of the guest operating system, an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.


What vendors have released patches and advisories?
CrowdStrike is aware of the following vendor patches, advisories, and notifications.

QEMU: http://git.qemu.org/?p=qemu.git; ... c0718795fedee2e824c
Xen Project: http://xenbits.xen.org/xsa/advisory-133.html
Red Hat: https://access.redhat.com/articles/1444903
Citrix: http://support.citrix.com/article/CTX201078
FireEye: https://www.fireeye.com/content/ ... m-vulnerability.pdf
Linode: https://blog.linode.com/2015/05/ ... ability-and-linode/
Rackspace: https://community.rackspace.com/general/f/53/t/5187
Ubuntu: http://www.ubuntu.com/usn/usn-2608-1/
Debian: https://security-tracker.debian.org/tracker/CVE-2015-3456
Suse: https://www.suse.com/support/kb/doc.php?id=7016497
DigitalOcean: https://www.digitalocean.com/com ... e-on-CVE-2015-3456/
f5: https://support.f5.com/kb/en-us/ ... 0/600/sol16620.html
Joyent: https://help.joyent.com/entries/ ... 15-3456-in-KVM-QEMU
Liquid Web: http://www.liquidweb.com/kb/info ... ulnerability-venom/
UpCloud: http://status.upcloud.com/incidents/tt05z2340wws
Amazon: http://aws.amazon.com/security/s ... sory_CVE_2015_3456/
We recommend you reach out to your vendors directly to get the latest security updates.


Have you seen VENOM exploits in the wild?
Neither CrowdStrike nor our industry partners had seen this vulnerability exploited in the wild prior to CrowdStrike's public disclosure.


Floopy drives are outdated, so why are these products still vulnerable?
For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.


How is this different from previous VM escape vulnerabilities?
Most VM escape vulnerabilities discovered in the past were only exploitable in non-default configurations or in configurations that wouldn’t be used in secured environments. Other VM escape vulnerabilities only applied to a single virtualization platform, or didn’t directly allow for arbitrary code execution.

CVE-2007-1744 – Directory traversal vulnerability in shared folders feature
CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation
CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability)
CVE-2011-1751 – Missing hotplug check during device removal
CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability
CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities
VENOM (CVE-2015-3456) is unique in that it applies to a wide array of virtualization platforms, works on default configurations, and allows for direct arbitrary code execution.


What is the vulnerability?
The guest operating system communicates with the FDC by sending commands such as seek, read, write, format, etc. to the FDC’s input/output port. QEMU’s virtual FDC uses a fixed-size buffer for storing these commands and their associated data parameters. The FDC keeps track of how much data to expect for each command and, after all expected data for a given command is received from the guest system, the FDC executes the command and clears the buffer for the next command.

This buffer reset is performed immediately at the completion of processing for all FDC commands, except for two of the defined commands. An attacker can send these commands and specially crafted parameter data from the guest system to the FDC to overflow the data buffer and execute arbitrary code in the context of the host’s hypervisor process.


How long has this bug existed?
The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase.


How was the VENOM vulnerability discovered?
Jason Geffner, CrowdStrike Senior Security Researcher, discovered the vulnerability while performing a security review of virtual machine hypervisors.


How was the response to the vulnerability coordinated?
After verifying the vulnerability, CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.

After a patch was developed CrowdStrike publicly disclosed VENOM on May 13, 2015. Since the availability of the patch, CrowdStrike has continued to work with major users of these vulnerable hypervisors to make sure that the vulnerability is patched as quickly as possible.


How do I protect myself from the VENOM vulnerability?
If you administer a system running Xen, KVM, or the native QEMU client, review and apply the latest patches developed to address this vulnerability.

If you have a vendor service or device using one of the affected hypervisors, contact the vendor’s support team to see if their staff has applied the latest VENOM patches.


Is it possible to patch KVM/Xen hypervisors without needing a reboot?
Our friends at Endurance International Group have provided instructions for a procedure to apply VENOM patches for KVM and XEN hypervisors without reboots using libvirt's virsh commands. You can find their procedure documented at venomfix.com
旷月108
 楼主| 发表于 2015-5-17 19:26:34 | 显示全部楼层
本帖最后由 旷月108 于 2015-5-17 19:33 编辑

机翻:

供应商咨询,补丁,并在Q&A部分可用以下通知。

毒液,CVE-2015-3456,是由许多计算机虚拟化平台的虚拟软盘驱动器代码中的安全漏洞。此漏洞可能允许攻击者在受影响的虚拟机(VM)来宾的范围逃跑,并可能获得代码执行对主机的访问。没有缓解,此VM逃生可能打开访问主机系统和所有其他虚拟机的主机上运行,​​可能给对手显著升高访问主机的本地网络和邻近的系统。

毒液漏洞的利用可以公开访问企业的知识产权(IP),除了敏感的个人身份信息(PII),可能影响了数以千计的企业和数以百万计的最终用户依靠虚拟机的影响共享计算的分配资源,以及连接,存储,安全性和保密性。

欲了解更多信息,请阅读德米特里Alperovitch是的博客,社区修补和缓解更新。

Q +答:了解更多关于蛇毒

哪些产品会受到影响?
该缺陷是在QEMU虚拟软盘控制器(FDC)。这一脆弱FDC代码用于在许多虚拟化平台和用具,尤其是Xen的,KVM和本机QEMU客户端。
VMware,微软的Hyper-V和虚拟机管理程序的Bochs不受此漏洞影响。
由于毒液漏洞的虚拟机管理程序的代码库的存在,该漏洞是不可知的主机操作系统(Linux操作系统,在Windows,Mac OS等)。
虽然毒液漏洞也是不可知的来宾操作系统,攻击者(或者攻击者的恶意软件)将需要在客户操作系统行政或root权限才能利用蛇毒。


哪些厂商已经发布了补丁和咨询?
CrowdStrike是注意以下厂商的补丁,公告和通知。
QEMU:http://git.qemu.org/?p=qemu.git; ... c0718795fedee2e824c
Xen项目:http://xenbits.xen.org/xsa/advisory-133.html
红帽:https://access.redhat.com/articles/1444903
思杰:http://support.citrix.com/article/CTX201078
FireEye的:https://www.fireeye.com/content/ ... M-vulnerability.pdf
的Linode:https://blog.linode.com/2015/05/ ...的能力和 - 的Linode /
Rackspace公司:https://community.rackspace.com/general/f/53/t/5187
Ubuntu的:http://www.ubuntu.com/usn/usn-2608-1/
Debian的:https://security-tracker.debian.org/tracker/CVE-2015-3456
SUSE:https://www.suse.com/support/kb/doc.php?id=7016497
DigitalOcean:https://www.digitalocean.com/com ... E-ON-CVE-2015-3456 /
F5:https://support.f5.com/kb/en-us/ ... 0/600 / sol16620.html
Joyent公司:https://help.joyent.com/entries/ ... 15-3456-在-KVM-QEMU
液体网址:http://www.liquidweb.com/kb/info ... ulnerability蛇毒/
UpCloud:http://status.upcloud.com/incidents/tt05z2340wws
亚马逊:http://aws.amazon.com/security/s ... sory_CVE_2015_3456 /
我们建议您联系您的供应商直接获取最新的安全更新。


你有没有见过一般情况下蛇毒漏洞爆发导致的攻击?
无论CrowdStrike也不是我们的行业合作伙伴看到了这个漏洞利用在野外之前CrowdStrike的公开披露。


Floopy驱动器是过时的,所以为什么这些产品仍然脆弱?
对于许多受影响的虚拟化产品,虚拟软盘驱动器默认情况下添加新的虚拟机。并在Xen和QEMU,即使管理员明确禁用虚拟软盘驱动器,一个不相关的错误会导致脆弱的FDC代码保持活跃和利用的攻击者。


这是如何从一个VM逃生漏洞有什么不同?
发现在过去大多数虚拟机逃逸漏洞只可利用在非默认配置或配置,也不会在安全的环境中使用。其它VM机逃逸漏洞仅应用于单个虚拟化平台,或没有直接允许任意代码执行。
CVE-2007-1744 - 目录遍历漏洞在共享文件夹功能
CVE-2008-0923 - 在VMware的共享文件夹的路径实现遍历漏洞。
CVE-2009-1244 - 倾盆大雨(VMware虚拟视频适配器漏洞)
CVE-2011-1751 - 在设备移除失踪热插拔检查
CVE-2012-0217 - 64位客人光伏权限提升漏洞
CVE-2014-0983 - 甲骨文VirtualBox的3D加速多个内存破坏漏洞
蛇毒(CVE-2015-3456)是独一无二的,它适用于虚拟化平台的范围广泛,适用于默认配置,并允许直接任意代码执行。

什么是漏洞?
来宾操作系统的FDC通过发送诸如寻找,读,写,格式等的FDC的输入/输出端口的命令通信。 QEMU的虚拟FDC使用一个固定大小的缓冲器,用于存储这些命令及其相关联的数据参数。该FDC跟踪多少数据指望每个命令和之后给定命令所有预期的数据从客户系统接收时,FDC执行命令,并清除缓冲区下一个命令。
这个缓冲器复位是在完成处理所有FDC命令立即执行,除了两个的定义的命令。攻击者可以从客户系统发送这些命令和特制的参数数据的FDC溢出的数据缓冲区,在主机的虚拟机管理程序进程的上下文中执行任意代码。

这个bug存在多久了?
自2004年以来,当虚拟软盘控制器首先被添加到代码库QEMU毒液漏洞已经存在。

毒液漏洞是如何被发现的?
杰森Geffner,CrowdStrike的高级安全研究员,发现了这个漏洞,而执行虚拟机管理程序的安全审查。

应对该漏洞是如何协调的?
验证该漏洞后,负责任的CrowdStrike披露的毒液QEMU的安全联系人列表,Xen的安全邮件列表中,Oracle安全邮件列表,以及操作系统分发安全邮件列表上2015年4月30日。
后一个补丁被开发CrowdStrike公开披露蛇毒对5月13日,2015年由于补丁的可用性,CrowdStrike继续与这些脆弱的虚拟机管理程序的主要用户合作,以​​确保该漏洞的补丁很快地。

我该如何保护自己不受毒液漏洞影响?
如果您运行管理的Xen,KVM,或本机客户端QEMU,审查系统和应用开发,以解决此漏洞的最新补丁。
如果您在使用受影响的虚拟机管理程序的一个供应商的服务或设备,请联系供应商的技术支持团队,看看他们的工作人员已经应用了最新的补丁毒液。

是否可以修补KVM / Xen的虚拟机管理程序,而无需重启?
我们在耐力国际集团的朋友们提供了有关程序,而不用使用libvirt的的命令的virsh重启申请蛇毒补丁KVM和Xen虚拟机管理程序。你可以找到自己的方法记录在venomfix.com
菩提祖师
发表于 2015-5-17 17:45:00 | 显示全部楼层
不是说有介绍"修复方法"吗?
但却没有给出其"修复方法"的网站...
旷月108
 楼主| 发表于 2015-5-17 17:55:58 | 显示全部楼层
菩提祖师 发表于 2015-5-17 17:45
不是说有介绍"修复方法"吗?
但却没有给出其"修复方法"的网站...

提交厂商等待厂商回应,估计等厂商发布修复方案后才会透露更多细节吧,反正前几天的VirtualBox更新日志里没这项,看后续版本。
菩提祖师
发表于 2015-5-17 18:47:56 | 显示全部楼层
旷月108 发表于 2015-5-17 17:55
提交厂商等待厂商回应,估计等厂商发布修复方案后才会透露更多细节吧,反正前几天的VirtualBox更新日志里 ...

根据文章中提供的信息
找到了一个网址:http://venom.crowdstrike.com/
不知道是否是文章中说的网站,不过部分图片好像相同
域名什么的也和文章中的机构完全一样...
英语硬伤,看不懂
恋爱的夏娜
头像被屏蔽
发表于 2015-5-17 19:00:50 来自手机 | 显示全部楼层
才发现,似乎没有vmware,和hyperv?
旷月108
 楼主| 发表于 2015-5-17 19:05:24 | 显示全部楼层
菩提祖师 发表于 2015-5-17 18:47
根据文章中提供的信息
找到了一个网址:http://venom.crowdstrike.com/
不知道是否是文章中说的网站,不 ...

是这个,稍后附上中文大致翻译看看

评分

参与人数 1人气 +1 收起 理由
菩提祖师 + 1 感谢提供分享

查看全部评分

旷月108
 楼主| 发表于 2015-5-17 19:35:13 | 显示全部楼层
恋爱的夏娜 发表于 2015-5-17 19:00
才发现,似乎没有vmware,和hyperv?

VMware和Hyper-V幸免于难
薄荷
发表于 2015-5-17 21:15:49 | 显示全部楼层
恋爱的夏娜 发表于 2015-5-17 19:00
才发现,似乎没有vmware,和hyperv?

不仔细啊,这些不受影响.......

好吧,其实我是来吐槽你自定义头衔的:这就是正室要把小三拢为闺蜜的缘由了.
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-3-29 12:35 , Processed in 0.129354 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表