May 13, 2015

Threat Update | VENOM Vulnerability

May 13, 2015

CrowdStrike has disclosed a vulnerability that impacts a large number of virtual machine (VM) products. CrowdStrike named this vulnerability, tracked as CVE-2015-3456, VENOM, which stands for Virtualized Environment Neglected Operations Manipulation. CrowdStrike Intelligence is not aware of any in-the-wild exploitation of this vulnerability.

The specific issue is a buffer overflow vulnerability exposed due to a race-condition in QEMU’s hardware emulation code. The vulnerability may allow a local privileged attacker to escape from the confines of a virtual machine (VM) guest system and obtain code-execution access to the host system. Since the exploit exposes a bug in the hypervisor code, it is independent of host or guest operating systems, and should work across all platforms (Windows, Linux, Mac, etc.).

In order to implement this attack, the attacker must have privileged local access to the guest VM. This escape has no relationship to any specific actor.

Organizations using hypervisor platforms, to include Xen, KVM, Oracle VirtualBox, and the native QEMU client, should contact their vendors for additional information. Herjavec Group will be engaging our partners appropriately and communicate necessary patches and updates as information becomes available.

VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

Infrastructure as a Service (IaaS) companies, as well as security vendors utilizing virtual machines, may be susceptible to exploitation of this vulnerability. CrowdStrike will post patch information by affected vendors on the VENOM FAQ site

Stay Informed 

  rhsm-3  Follow us on Twitter

  rhsm-2  Connect with us on LinkedIn




*By selecting one of the communications above, you consent to Herjavec Group
sending commercial electronic messages to you for marketing purposes,
including information about the products, services and events selected.