Oracle patches its software to appease the Venom security vulnerability
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
May 19, 2015
Oracle said earlier this morning that it has released security patches for its virtualization software to 'appease' the Venom vulnerability that allows attackers to break out of virtual machines in order to attack other hosts on the network.
Oracle follows a whole slew of other companies including KVM and Xen which have patched the buffer overflow bug. For now, VMware, Microsoft and even Bochs are immune to the problem it appears.
Researcher Jason Geffner of internet security firm Crowdstrike quietly tipped off other vendors including Oracle to VENOM (Virtualized Environment Neglected Operations Manipulation) (bulletin CVE-2015-3456) and notified the Oracle, QEMU and Xen mailing lists.
"The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualization platforms, and is used in some Oracle products," the company said in a recent security patch advisory.
"The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC," said the advisory.
"The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system," it added.
The security vulnerability can only be remotely exploited if attackers are logged into a server but Oracle still considers it severe enough to strongly recommend enterprise customers to apply the patches and reboot as soon as possible.
And that limitation prevented mass exploitation, according to various security experts. Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28.
It also includes Oracle VM 2.2, 3.2 and 3.3, and Oracle Linux 5, 6 and 7. Further diluting the potency of VENOM is the immunity of AWS Xen instances.
Trustwave threat intelligence manager Karl Sigler says that the bug is similar to a privilege escalation issue in that it requires an existing access to virtual machines.
"Most corporate virtual environments are simply isolated from anonymous or public access and would simply be immune to attacks," Sigler said.
"I would see this attack typically used to target hosting companies that utilize virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting server," he added.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!