SDLab

SDLab
SDLab.org::Adminな脳み

2015年5月14日木曜日

VENOM

VENOM(Virtualized Environment Neglected Operations Manipulation)の件

◆詳細

Crowdstrike.com
Q+A: Learn More About VENOMhttp://venom.crowdstrike.com/

◆Xen

[Xen-users] Xen Security Advisory 133 (CVE-2015-3456) - Privilege escalation via emulated floppy disk drive
http://lists.xen.org/archives/html/xen-users/2015-05/msg00109.html


ISSUE DESCRIPTION
=================
The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.

◆XenServer

Citrix Security Advisory for CVE-2015-3456
http://support.citrix.com/article/CTX201078

Description of Problem
Citrix is aware of the recent vulnerability that has been reported against the Xen hypervisor. This issue is known as the 'VENOM' vulnerability and has been assigned the following CVE number:
CVE-2015-3456: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
The following sections will provide guidance to customers on the potential impact of this issue. Citrix is actively analysing the impact of this vulnerability on supported versions of Citrix XenServer. Additional details and guidance will be added to this document as soon as they are available.
<追記 2015/5/19>

https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/

VENOMでは、VM上で特定コマンドを実施することで、ハイパーバイザ上で任意のコマンドを実施できるというもの。
ただし、Redhatとしては、特定コマンドは実施できるが、ハイパーバイザ上での実効は確認できていないとのこと。
We believe that code execution is possible but we have not yet seen any working reproducers that would allow this.
なお、既存のExploitは、QEMUをCrashさせるので、Segfault LOGをみてれば、その攻撃を判定できそうとのこと。

ちなみに、影響をうけるのは、HVM(完全仮想化)なVMだけだよ。XenTools入った準仮想化VMは影響受けないらしいよ。
まぁ、RootとられてXenTools抜かれたらやられちゃうけど。

0 件のコメント:

コメントを投稿