CVE-2015-3456 ("Venom") and Xen: why are you vulnerable? #xen #xenproject #venom
Let me spend a few words on CVE-2015-3456, also known as "Venom". Poor choice of a false acronym, if you ask me.
The vulnerability is caused by a bug in the QEMU floppy drive emulator.
This is exactly the sort of bugs that we are trying to prevent in Xen Project, by limiting, when not avoiding entirely, device emulation. This is why Xen on ARM does not do any emulation at all. This is also why Xen on x86 still provides the ability to boot good old PV guests, which do not come with a large, exploitable, emulated environment.
If you are using Xen on ARM, you are OK. If you are using Xen on x86 with just PV guests or PVH guests (the new, faster, flavour of PV guests), you are also OK. If you are using HVM guests (builder="hvm" in the VM config file), you are affected.
As you probably know, Xen HVM guests rely on QEMU for emulation. Nonetheless we still try to limit the surface of attack, by disabling as many device emulators as possible by default.
For example we disable the floppy drive emulator.
Yes, you have heard correctly: the Xen toolstack disables a bunch of QEMU devices, including the floppy drive emulator, to avoid security vulnerabilities like "Venom".
So is Xen really vulnerable? Unfortunately yes, because of another QEMU bug: QEMU does not actually disable floppy drives, even when you ask nicely.
Sigh. Oh well, at least we tried. :-/