SA95 : VENOM Vulnerability in Virtualization Platforms

Click to Subscribe
Security Advisory ID: 
Published Date: 
May 15, 2015
Advisory Status: 
Advisory Severity: 
CVSS v2 base score: 7.7 (AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVE Number: 
CVE-2015-3456 - CVSS v2 base score 7.7 (AV:A/AC:L/Au:S/C:C/I:C/A:C)

The VENOM vulnerability allows a local guest user in affected virtualized platforms to escape from the virtual environment and execute code on the host.  An attacker can use this vulnerability to gain complete access to the host and to the host's local network and adjacent systems.

Affected Products:

The following products are vulnerable:

XOS 9.6, 9.7, and 10.0 are vulnerable when running McAfee Firewall Enterprise.  Customers running Check Point or other applications are not affected.  XOS 11.0 and later are not vulnerable.  Successful exploit of this vulnerability would first require a compromise of the McAfee Firewall Enterprise instance.   Customers should check with their application vendors for any additional information on potential vulnerabilities within their application.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
Auth Connector Login Application
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Mail Threat Defense
Malware Analysis Appliance
Malware Analyzer G2
Management Center
Mobile Device Security
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
Security Analytics
SSL Visibility
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

Virtualized Environment Neglected Operation Manipulation (VENOM) is a defect in QEMU's virtual Floppy Disk Controller (FDC).  FDC is used in multiple virtualization platforms including Xen, KVM, a the native QEMU client.  VMWare, Microsoft Hyper-V, and Bochs hypervisors are known not to be impacted.  The vulnerability can be exploited regardless of the guest operating system, and even if the virtual floppy drive has been disabled.

An attacker can utilize the VENOM vulnerability to escape from the virtual host.  The attacker can use this access to execute code on the host which could result in the attacker gaining elevated privileges on the host's local network and adjacent systems.

XOS utilizes KVM to run McAfee Firewall Enterprise on APM blades of an X-Series chassis.   The impact of this vulnerability is limited in this environment because XOS only runs a single trusted McAfee Firewall Enterprise VM per APM module.  Additionally, the McAfee Firewall Enterprise guest and XOS host cooperate within a single security domain to provide firewall services.  Therefore, an attacker exploiting the VENOM vulnerability would not cross a significant security boundary.  Lastly, there is no inherent trust between APM modules within a chassis, so it would be difficult for an attacker who could utilize this vulnerability to compromise a single APM to pivot to another APM modules within the chassis.


There are no known workarounds.



XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.
XOS 9.6 and prior - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

Advisory History: 

2017-03-06 Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-07-13 Title Update
2015-05-18 ProxySG, OPIC, and Director are not vulnerable
2015-05-15 AuthConnector, Auth Connector Login Application, and BCAAA are not vulnerable
2015-05-15 Initial public release