Oracle was one of the first vendors notified by Crowdstrike, whose researcher Jason Geffner found the bug and disclosed it privately April 30 to the Oracle security mailing list, the QEMU and Xen security mailing lists, as well as the Operating System Distribution Security list. Yet Oracle is last among those to provide a fix.
VENOM, which is short for Virtualized Environment Neglected Operations Manipulation, was disclosed last Wednesday. The vulnerability can be exploited in targeted attacks against virtual machines to escape guest virtual instances and attack the host. Experts have said that since the vulnerability would require an attacker to be authenticated to a virtual machine in order to carry out an exploit, serious risks are mitigated. The bug, for example, cannot be attacked at any kind of scale, and as of today, there has been only one publicly reported exploit, developed by researcher Marcus Meissner of SUSE Linux.
Also mitigating the risk is the fact that VMware, Microsoft and Bochs hypervisors are immune to VENOM; KVM and Xen, both of which have been patched, were the highest profile hypervisors vulnerable to the flaw.
VENOM lives in the virtual floppy disk controller component of QEMU, an open-source virtualization package. XEN, KVM and other virtualization platforms run QEMU, and hosting providers who run on these platforms were advised to patch quickly. The FDC inside of QEMU contains a buffer overflow issue that Meissner’s exploit uses to crash an unpatched instance of the software. While it’s possible to gain remote code execution, Meissner and others said this would be challenging for an attacker.
“To trigger the condition of the exploit is easy, however the attacker needs to have root-level privileges on the guest machine,” Meissner said. “From this to gaining code execution needs knowledge of the memory layout of the QEMU process running. Without address space randomization this could be more or less easy, but I have not researched this.”
Oracle said VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28 are affected by VENOM, as are Oracle VM 2.2, 3.2 and 3.3, and Oracle Linux 5, 6 and 7.
As for Oracle Cloud, the company said it continues to investigate and develop patches for affected services. Oracle provides several contacts for customers of its respective services in its advisory.
“The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes,” Oracle said in its advisory.
In a separate notice from last week, Oracle said Oracle Database Appliance, Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud and Oracle Exalytics In-Memory Machine all run QEMU and are potentially vulnerable to VENOM. None, however, were patched in this round of fixes.