A very serious security problem has been found in the virtual floppy drive QEMU’s code used by many computer virtualization platforms including Xen, KVM, VirtualBox, and the native QEMU client. It is called VENOM vulnerability. How can I fix VENOM vulnerability and protect my Linux server against the attack? How do I verify that my server has been fixed against the VENOM vulnerability?

This is tagged as high severity security bug and it was announced on 13th May 2015.[donotprint]
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements None
Est. reading time 10m
[/donotprint] The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase. Since the VENOM vulnerability exists in the hypervisor’s codebase, the vulnerability is agnostic of the host operating system (Linux, Windows, Mac OS, etc.).

What is the VENOM security bug (CVE-2015-3456)?

From the RHEL bugzilla:

An out-of-bounds memory access flaw was found in the way QEMU’s virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the hosting QEMU process.

Fig.01 Venom bug

This issue affects the versions of the kvm, xen, and QEMU packages while VMware, Hyper-V, and Bochs are unaffected. This issue affects all x86 and x86-64 based HVM Xen and QEMU/KVM guests, regardless of their machine type.

A list of affected Linux distros

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x and 7.x
  • OpenStack 5 for RHEL 6
  • OpenStack 4 for RHEL 6
  • OpenStack 5 for RHEL 7
  • OpenStack 6 for RHEL 7
  • Red Hat Enterprise Virtualization 3
  • Debian Linux code named stretch, sid, jessie, squeeze, and wheezy [and all other distro based on Debian]
  • SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP3)
  • SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
  • SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
  • SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
  • SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Expanded Support 5, 6 and 7
  • Ubuntu 12.04
  • Ubuntu 14.04
  • Ubuntu 14.10
  • Ubuntu 15.04

Fix the VENOM vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Type the following yum command as the root user:
sudo yum clean all
sudo yum update

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability on a Debian Linux

Type the following apt-get command as the root user:
sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability on a Ubuntu Linux

Type the following apt-get command as the root user:
sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

Reboot all your virtual machines on those hypervisors.

Fix the VENOM vulnerability for Oracle VirtualBox on a Linux/OSX/MS-Windows/Solaris Unix

You need to download and update a VirtualBox 4.3 maintenance release by visiting this page.

Do I need to reboot my host server?

No need to reboot the host server. But, you need to reboot all your virtual machines on those hypervisors. This cannot be avoided. Sample commands to get list, stop, and start KVM,QEMU are as follows:

## Following the update, the guests (virtual machines) ##
## need to be powered off and started up again for the update to take effect. ##
## Reboot a vm will not work ##
## List all running vms ##
virsh list --all
## Stop vm called db1 ##
virsh shutdown db1 
## Again start vm called db1 ##
virsh start db1

See “KVM: Starting / Stopping Guest Operating Systems With virsh Command” for more info.

General workaround (may not work at all so patch ASAP)

The emulated floppy seems to be loaded by default in qemu and kvm. You can disable the floopy support and start qemu without floppy emulation but vga enabled (or any other option as required):

qemu  -nodefaults -vga std ...

Another workaround on CentOS/SUSE/Red hat Linux Enterprise Server is to manage the virtual machines by libvirt. See libvirt and qemu man pages for more info.

More info

See the following external links for more info on this bug:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 8 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
8 comments… add one
  • Joel Davis May 13, 2015 @ 17:04

    The posted workaround probably doesn’t work since I believe there’s another bug that allows an attacker to turn the FDC on themselves. The only real way to be sure is to patch affected systems. Enterprise users should have an HA solution so they just have to migrate off each hypervisor individually during an emergency change window. There’s no actionable exploit that’s been found so far which is why it’s being described as just a “flaw.” It’s a threat but nobody’s been able to find a way to use it yet. Always better to stay ahead of the attackers.

  • disablefloppy May 13, 2015 @ 18:35

    The crowdstrike announcement said that disabling the floppy is not enough:

    “For many of the affected virtualization products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.”

    So it seems that if the floppy disk controller is present, it can still be exploited.

  • Sai Kumar May 14, 2015 @ 4:46

    Running tons of VM? Try :)

    m="$(virsh list --state-running --name)"
    for guest in $m 
      echo "Rebooting $guest..."
      virsh shutdown $guest && virsh start $guest
  • MacFanBoy May 14, 2015 @ 5:06

    Amazon states that AWS is not vulnerable :)


  • Carlos May 14, 2015 @ 14:42

    Does migrate my VMs to a patched host be enough to avoid the vulnerability?

  • David Ridge May 14, 2015 @ 18:42

    Although fiction, this reminds me of the movie “Space Cowboys” where I guess an archaic satellite or space station goes rogue and four retired astronauts are pulled outta moth balls to solve the problem. And, this is a feeble summary at best. I’m 68 so young people do your homework concerning the past.

  • Max Dor May 15, 2015 @ 9:17

    While not officialy stated by Oracle yet, a simple look at the VirtualBox source code between 4.3.26 & 4.3.28 shows it has been fixed

    QEMU fix for reference

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum