Discuss the 4.3.28 release

[frank]

Discuss the 4.3.28 release here. See the changelog for details.

[Christophe Deprez]

Does this release protect against CVE-2015-3456 aka "VENOM"?
Thanks.

[noteirak]

Looks like it does, here is the QEMU original diff for the fix, and here is the VirtualBox diff between 4.3.26 & 4.3.28 sources.
As you can see, the same protection has been added in VirtualBox code, in a slightly different way. I would still ask someone else with sufficient skills to validate my statement.

[michaln]

Does this release protect against CVE-2015-3456 aka "VENOM"?

You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?

[smithlar]

Does this release protect against CVE-2015-3456 aka "VENOM"?

You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?

It is being reported in the Tech Press that VENOM can be exploited whether or not a floppy controller is configured. here is an example:
http://www.zdnet.com/article/venom-the- ... n-is-here/

As long as VENOM is fixed in 4.3.28, all is well.

[michaln]

It is being reported in the Tech Press that VENOM can be exploited whether or not a floppy controller is configured.

I suppose that says something about the tech press. And that something is not very nice.

Let's quote the actual VENOM website: "And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers." Why is VirtualBox not explicitly listed? Because unless the floppy controller is enabled in VirtualBox, it's not there.

Yes, it's possible that Xen and qemu enable the FDC even if the user didn't (we didn't check). But that is not the case with VirtualBox.

[mpack]

You know right away that when they give a geeky name like VENOM! to a mundane and unimportant technical weakness, that this story is going to be all hype.

[nbn532]

Does this release protect against CVE-2015-3456 aka "VENOM"?

You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?

Very true. The hype, self-promotion, and sensationalism these days around vulnerabilities is unfortunate, and often counter-productive.

However, when one has thousands of developers using Virtual Box across an enterprise business, one's security compliance department does not accept "unlikely" as a status. I can not be certain that no one has configured the floppy controller, and therefore am looking for clarity as to what remediation path, if any, there is for Virtual Box.

I agree in principle with michaln and mpack's comments, but also this:

Looks like it does, [...] I would still ask someone else with sufficient skills to validate my statement.

the change log only says: "Floppy: various fixes"

not very helpful in evaluating the compliance situation.

Thanks!

[michaln]

I can not be certain that no one has configured the floppy controller,

If you can't find out though, you probably have more serious problems to worry about, no? Really, all it takes is to make sure the FDC is turned off and the vulnerability is gone, regardless of VirtualBox version. VirtualBox has not been configuring a FDC by default for normal VMs for the last 5 years or so.

and therefore am looking for clarity as to what remediation path, if any, there is for Virtual Box.

You are unfortunately looking in the wrong place. Oracle policy does not allow developers to make any official statements about security issues. So whatever you might be told here is unauthoritative and/or will get someone in trouble. You have to wait for Oracle to publish an advisory or, if you are an Oracle customer, you may want to get in touch with your support representative.

It's probably safe to say that the diffs noteirak pointed at do tell the real story whether 4.3.28 is fixed or not. A security compliance department should be able to make sense of it.

not very helpful in evaluating the compliance situation.

Indeed, the sky is falling and there's no one here to provide a reassuring comment. And not only is the sky falling, the vulnerability has been there since 2004...

[Etepetete]

Hey nbn532,

the answer to your question can be found here

[marshals]

I installed 4.3.28 on Win7hp64 host, but on reboot get the below error when I try to start a guest.

4.3.28 error.PNG (18.88 KiB) Viewed 10967 times

Attached is the log from one of the guests. In case it's relevant, I only have MSE AV installed, which is up2date.
EDIT: I rolled back to 4.3.26 and the problem went away.

[michaln]

You have to wait for Oracle to publish an advisory...

And as Etepetete already mentioned, the official statement is here: http://www.oracle.com/technetwork/topic ... 42656.html

[dmischa]

updating from 4.3.26 to 4.3.28 on a CentOS 5.11 host I get

Code: Select all

Uninstalling old VirtualBox DKMS kernel modules
rmdir: : No such file or directory
rmdir: : No such file or directory
rmdir: : No such file or directory
rmdir: : No such file or directory
 [  OK  ]

this is not new, but it should be a good idea to do the cosmetic fix of the install scripts.

[dmischa]

with 4.3.28 (guestadditions installed) the fonts in a CentOS6.6 guest on a CentOS5.11 host appear larger than in the previous releases. This should not be expected. On a Yosemite host on the other side the behaviour of a CentOS6.6 guest is as in the previous releases of VirtualBox.

[michael]

with 4.3.28 (guestadditions installed) the fonts in a CentOS6.6 guest on a CentOS5.11 host appear larger than in the previous releases. This should not be expected. On a Yosemite host on the other side the behaviour of a CentOS6.6 guest is as in the previous releases of VirtualBox.

Thank you. I am aware of this, but do not yet have a recipe to reliably reproduce it. If you can find out more that would be of interest. A diff of the Xorg.*.log file with old Additions and smaller fonts and with new Additions and larger fonts might be interesting too.