This week, a security advisory identified as as “VENOM” or Virtualized Environment Neglected Operations Manipulation, CVE-2015-3456 was publicly announced. During Citrix Synergy, I received questions about how XenServer is affected, and what customers should do about it.
Citrix recently published a security advisory (http://support.citrix.com/article/CTX201078) on VENOM as it relates to XenServer, and while that should be your main source of updates, I thought I would provide some context to our response here.
Citrix is working on a hotfix for XenServer which we plan to release next week. Currently, Citrix is not aware of any publicly-available exploit code for VENOM on XenServer.
People often ask why it takes time to release a hotfix: the most significant part of the answer is that every hotfix we release undergoes a large quantity of testing. In addition to the usual functional regression testing, we carry out (automated) multi-day stress testing: if there are any issues in a patch, the stress testing is when we normally find them. With that as the background, let’s quickly take a look at the nature of how VENOM could impact a XenServer deployment.
The VENOM vulnerability concerns a potential buffer overrun within the device emulation layer (qemu) used in various virtualisation platforms, including Xen and KVM-based ones.
Specifically, it concerns the code used to emulate a floppy drive device for HVM guests (which for most customers, means Windows virtual machines, though on XenServer 6.5, newer versions of Linux guests also run in HVM mode). Whilst XenServer doesn’t actually make a floppy device visible to any VMs, the code is still present.
Because of added security features in XenServer, our assessment of the situation is that the Venom vulnerability cannot currently be exploited for a guest to gain unauthorized access to data.
We’ll continue to keep you up to date through the security bulletin, and of course if you have questions do get in touch with Citrix Support.