2015-07 Security Bulletin: Buffer overflow vulnerability in QEMU component of the KVM/QEMU and Xen hypervisors (CVE-2015-3456) aka VENOM

Product Affected:EX and QFX Series devices with virtualization support; specifically EX4600, QFX5100, and QFX10002.

Problem:In products utilizing virtualization technologies, a buffer overflow vulnerability in QEMU component of the KVM/QEMU and Xen hypervisors may allow privileged guest users such as an administrative user in a virtual machine to crash the guest OS. This issue may potentially allow execution of arbitrary code on the host OS. If an untrusted VM is being run it may lead to complete compromise of the host machine and other VMs.This vulnerability is named ‘VENOM’ and assigned CVE-2015-3456. Juniper SIRT is not aware of any malicious exploitation of this vulnerability on Juniper products. The following Juniper products make use of affected virtualization technologies: EX Series device EX4600QFX Series devices QFX5100 and QFX10002The following Juniper products are not vulnerable: EX and QFX series devices not listed above are not vulnerable.Virtual Route Reflector is not vulnerable.QFabric Director is not vulnerable.Junos Space is not vulnerable: While Junos Space includes a vulnerable version of QEMU, it does not permit root access in a guest OS and hence not impacted by this issue. QEMU will be updated in the next possible release as a precaution.Products that do not include any virtualization technologies like SRX Series and ScreenOS are not affected by this vulnerability.

Solution:EX and QFX SeriesThis issue is resolved in Junos OS 13.2X51-D40 (pending release) and Junos OS 14.1X53-D30 (pending release), and all subsequent releases.

Workaround:Since successful exploitation requires root privileges in a virtual machine, restricting administrative access to virtual machines to trusted administrators and not running untrusted virtual machines should help in reducing the risks of exploitation of this issue.

Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of “PRs fixed” can be provided on request. Modification History: 2015-07-08: Initial publication

Related Links: CVSS Score:CVSSv2: 6.6 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Risk Level:Medium

Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Acknowledgements: 

Leave a Reply