Discuss the 4.3.28 release
-
- Posts: 1
- Joined: 14. May 2015, 22:22
Re: Discuss the 4.3.28 release
Does this release protect against CVE-2015-3456 aka "VENOM"?
Thanks.
Thanks.
-
- Site Moderator
- Posts: 5229
- Joined: 13. Jan 2012, 11:14
- Primary OS: Debian other
- VBox Version: OSE Debian
- Guest OSses: Debian, Win 2k8, Win 7
- Contact:
Re: Discuss the 4.3.28 release
Looks like it does, here is the QEMU original diff for the fix, and here is the VirtualBox diff between 4.3.26 & 4.3.28 sources.
As you can see, the same protection has been added in VirtualBox code, in a slightly different way. I would still ask someone else with sufficient skills to validate my statement.
As you can see, the same protection has been added in VirtualBox code, in a slightly different way. I would still ask someone else with sufficient skills to validate my statement.
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Manage your VirtualBox infrastructure the free way!
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Discuss the 4.3.28 release
You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?Christophe Deprez wrote:Does this release protect against CVE-2015-3456 aka "VENOM"?
-
- Posts: 79
- Joined: 9. May 2008, 15:54
- Primary OS: openSUSE
- VBox Version: PUEL
- Guest OSses: WinXP32 WinXP64 Win7-32 Win7-64 openSUSE64 OS2 Win10
- Location: Texas, USA
Re: Discuss the 4.3.28 release
It is being reported in the Tech Press that VENOM can be exploited whether or not a floppy controller is configured. here is an example:michaln wrote:You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?Christophe Deprez wrote:Does this release protect against CVE-2015-3456 aka "VENOM"?
http://www.zdnet.com/article/venom-the- ... n-is-here/
As long as VENOM is fixed in 4.3.28, all is well.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Discuss the 4.3.28 release
I suppose that says something about the tech press. And that something is not very nice.smithlar wrote:It is being reported in the Tech Press that VENOM can be exploited whether or not a floppy controller is configured.
Let's quote the actual VENOM website: "And on Xen and QEMU, even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers." Why is VirtualBox not explicitly listed? Because unless the floppy controller is enabled in VirtualBox, it's not there.
Yes, it's possible that Xen and qemu enable the FDC even if the user didn't (we didn't check). But that is not the case with VirtualBox.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Discuss the 4.3.28 release
You know right away that when they give a geeky name like VENOM! to a mundane and unimportant technical weakness, that this story is going to be all hype.
Re: Discuss the 4.3.28 release
Very true. The hype, self-promotion, and sensationalism these days around vulnerabilities is unfortunate, and often counter-productive.michaln wrote:You realize that unless you have a VM with a floppy controller configured (unlikely) and have a malicious user running in such VM with superuser privileges, the floppy controller vulnerabilities disclosed in CVE-2015-3456 are completely irrelevant, right?Christophe Deprez wrote:Does this release protect against CVE-2015-3456 aka "VENOM"?
However, when one has thousands of developers using Virtual Box across an enterprise business, one's security compliance department does not accept "unlikely" as a status. I can not be certain that no one has configured the floppy controller, and therefore am looking for clarity as to what remediation path, if any, there is for Virtual Box.
I agree in principle with michaln and mpack's comments, but also this:
the change log only says: "Floppy: various fixes"noteirak wrote:Looks like it does, [...] I would still ask someone else with sufficient skills to validate my statement.
not very helpful in evaluating the compliance situation.
Thanks!
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Discuss the 4.3.28 release
If you can't find out though, you probably have more serious problems to worry about, no? Really, all it takes is to make sure the FDC is turned off and the vulnerability is gone, regardless of VirtualBox version. VirtualBox has not been configuring a FDC by default for normal VMs for the last 5 years or so.nbn532 wrote:I can not be certain that no one has configured the floppy controller,
You are unfortunately looking in the wrong place. Oracle policy does not allow developers to make any official statements about security issues. So whatever you might be told here is unauthoritative and/or will get someone in trouble. You have to wait for Oracle to publish an advisory or, if you are an Oracle customer, you may want to get in touch with your support representative.and therefore am looking for clarity as to what remediation path, if any, there is for Virtual Box.
It's probably safe to say that the diffs noteirak pointed at do tell the real story whether 4.3.28 is fixed or not. A security compliance department should be able to make sense of it.
Indeed, the sky is falling and there's no one here to provide a reassuring comment. And not only is the sky falling, the vulnerability has been there since 2004...not very helpful in evaluating the compliance situation.
-
- Posts: 21
- Joined: 6. May 2010, 13:31
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Discuss the 4.3.28 release
I installed 4.3.28 on Win7hp64 host, but on reboot get the below error when I try to start a guest.
EDIT: I rolled back to 4.3.26 and the problem went away.
Attached is the log from one of the guests. In case it's relevant, I only have MSE AV installed, which is up2date.EDIT: I rolled back to 4.3.26 and the problem went away.
- Attachments
-
- VBoxStartup.log
- (15.97 KiB) Downloaded 27 times
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Discuss the 4.3.28 release
And as Etepetete already mentioned, the official statement is here: http://www.oracle.com/technetwork/topic ... 42656.htmlmichaln wrote:You have to wait for Oracle to publish an advisory...
-
- Posts: 58
- Joined: 20. May 2010, 12:32
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: RHEL, Fedora, Windows 7
Re: Discuss the 4.3.28 release
updating from 4.3.26 to 4.3.28 on a CentOS 5.11 host I get
this is not new, but it should be a good idea to do the cosmetic fix of the install scripts.
Code: Select all
Uninstalling old VirtualBox DKMS kernel modules
rmdir: : No such file or directory
rmdir: : No such file or directory
rmdir: : No such file or directory
rmdir: : No such file or directory
[ OK ]
-
- Posts: 58
- Joined: 20. May 2010, 12:32
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: RHEL, Fedora, Windows 7
Re: Discuss the 4.3.28 release
with 4.3.28 (guestadditions installed) the fonts in a CentOS6.6 guest on a CentOS5.11 host appear larger than in the previous releases. This should not be expected. On a Yosemite host on the other side the behaviour of a CentOS6.6 guest is as in the previous releases of VirtualBox.
Re: Discuss the 4.3.28 release
Thank you. I am aware of this, but do not yet have a recipe to reliably reproduce it. If you can find out more that would be of interest. A diff of the Xorg.*.log file with old Additions and smaller fonts and with new Additions and larger fonts might be interesting too.dmischa wrote:with 4.3.28 (guestadditions installed) the fonts in a CentOS6.6 guest on a CentOS5.11 host appear larger than in the previous releases. This should not be expected. On a Yosemite host on the other side the behaviour of a CentOS6.6 guest is as in the previous releases of VirtualBox.