qemu/KVM/Xen: floppy driver allows VM escape ("VENOM" vulnerability, CVE-2015-3456)
This document (7016497) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Expanded Support 6 and 7
SUSE Cloud
Situation
Impact:
A vulnerability in the floppy disk driver of qemu, Xen, and KVM allows attackers with root privileges to escape from a virtual machine (guest) and access the host system.
The bug is not easy to exploit and might trigger crashes of the host system, that could be an indicator for an ongoing attack.
All currently supported versions of SUSE Linux Enterprise Server starting from SLES 10 SP3 up to and including SLE 12 as well as SUSE Linux Expanded Support 6 and 7 are affected by this vulnerability.
Since the problematic code is in qemu, all versions of Xen, qemu and KVM are affected.
Resolution
SUSE engineering is aware of the problem.
Maintenance updates for all affected products are in preparation.
As of now, updates that fix the issue are available for:
SUSE Linux Enterprise Server 10 SP4 LTSS:
xen-3.2.3_17040_46-0.15.1
SUSE Linux Enterprise Server 11 SP1 LTSS:
kvm-0.12.5-1.26.1
xen-4.0.3_21548_18-0.21.1
SUSE Linux Enterprise Server 11 SP2 LTSS:
kvm-0.15.1-0.29.1
xen-4.1.6_08-0.11.1
SUSE Linux Enterprise Server 11 SP3:
kvm-1.4.2-0.22.27.1
xen-4.2.5_06-0.7.1
SUSE Linux Enterprise Server 12:
xen-4.4.2_04-18.1
qemu-2.0.2-46.1
qemu-kvm updates are available for SUSE Linux Enterprise Expanded Support 6 and 7 as well.
Registered systems can be patched with YaST2 or zypper or via SUSE Manager.
For SUSE Linux Enterprise Expanded Support use "yum update" or get fixed packages from patchfinder manually.
Updates are available also via https://download.suse.com/patch/finder/
Updates for further products are in QA and follow soon.
This document gets updated once fixed packages are available.
Additional Information
Note: To fix the vulnerabilty after patching it is necessary to either
* power-cycle the VM after patching the host system
OR
* migrate the VM to an already patched host system.
for SUSE OpenStack Cloud this can be accomplished using live-migration
or with these commands:
. .openrc
nova list --all_tenants --status active |\
perl -ne "m/^[| ]*([0-9a-f-]+)/ && print \$1.' '" > active
for id in `cat active` ; do
nova suspend $id
while nova show $id | grep OS-EXT-STS:task_state.*suspending ; do
sleep 3
done
nova resume $id
done
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016497
- Creation Date: 13-May-2015
- Modified Date:28-Sep-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com