Venom Detector script

Support for security such as Firewalls and securing linux
Post Reply
jab2805
Posts: 14
Joined: 2015/01/12 20:36:13

Venom Detector script

Post by jab2805 » 2015/05/14 16:04:18

Hi all,


I have been looking for a venom script a can run on my servers to check if they are vulnerable!


All I have thus far is:

if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi

This was provided by rackspace.

I'm not sure if this works for Centos DOM0's running XEN or KVM.

Does any one in the community have a centos script?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Venom Detector script

Post by TrevorH » 2015/05/14 16:07:50

I've run the dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l portion of that script on unpatched xen and kvm hosts and guests and all of them return 0 so I don't think it's working properly.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jab2805
Posts: 14
Joined: 2015/01/12 20:36:13

Re: Venom Detector script

Post by jab2805 » 2015/05/14 18:13:20

OK that is bad. It Must be some thing that is related to rackspace servers...

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Venom Detector script

Post by aks » 2015/05/15 15:53:42

My understanding is that if you're using the reported vulnerable platforms, it's possible to be exploited because the virtual hardware's floppy is where the problem exists. Even if you don't have a floppy attached, the code still exists in the virtual hardware layer and could be executed (called).

Just my 2 cents worth...

jab2805
Posts: 14
Joined: 2015/01/12 20:36:13

Re: Venom Detector script

Post by jab2805 » 2015/05/19 14:20:48

I'm using the below script to find system kvm that release number is lower then 448 ( CHECKKVM) , and CHECKXEN to detect xen host with the issue.

Code: Select all

#!/bin/bash 

CHECKVM()
{
release=`rpm -qa qemu-kvm  | tr "\." "\012" | grep [0-9][0-9][0-9]`

if [ $release -lt 448 ]
then 
     echo "vulnerable"
else 
      echo "Looks good"
fi
}

#Check XEN
CHECKXEN()
{ 

     if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi
}


# check if its a kvm host 
lsmod  | grep -q kvm
if [ $? = 0 ]
then
      CHECKKVM
else
      CHECKXEN
fi

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: Venom Detector script

Post by giulix63 » 2015/05/22 07:12:21

Release of qemu-kvm on my fully patched 7.1 laptop is at 86. What release are we talking here? Also, isn't this only applicable to the hosts? How about testing the guests? I tried compiling the PoC that's available on various sites, but it always segfaults on hosts, no matter what. I haven't tried to run it on guests because I'm afraid it may crash the host. Has anyone tried that?
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Venom Detector script

Post by aks » 2015/05/22 19:01:09

My understanding is that "venom" attacks the guests to ultimately attach the host (the physical host).

There again, I could be wrong....

Post Reply