Hi all,
I have been looking for a venom script a can run on my servers to check if they are vulnerable!
All I have thus far is:
if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi
This was provided by rackspace.
I'm not sure if this works for Centos DOM0's running XEN or KVM.
Does any one in the community have a centos script?
Venom Detector script
Re: Venom Detector script
I've run the dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l portion of that script on unpatched xen and kvm hosts and guests and all of them return 0 so I don't think it's working properly.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Venom Detector script
OK that is bad. It Must be some thing that is related to rackspace servers...
Re: Venom Detector script
My understanding is that if you're using the reported vulnerable platforms, it's possible to be exploited because the virtual hardware's floppy is where the problem exists. Even if you don't have a floppy attached, the code still exists in the virtual hardware layer and could be executed (called).
Just my 2 cents worth...
Just my 2 cents worth...
Re: Venom Detector script
I'm using the below script to find system kvm that release number is lower then 448 ( CHECKKVM) , and CHECKXEN to detect xen host with the issue.
Code: Select all
#!/bin/bash
CHECKVM()
{
release=`rpm -qa qemu-kvm | tr "\." "\012" | grep [0-9][0-9][0-9]`
if [ $release -lt 448 ]
then
echo "vulnerable"
else
echo "Looks good"
fi
}
#Check XEN
CHECKXEN()
{
if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi
}
# check if its a kvm host
lsmod | grep -q kvm
if [ $? = 0 ]
then
CHECKKVM
else
CHECKXEN
fi
Re: Venom Detector script
Release of qemu-kvm on my fully patched 7.1 laptop is at 86. What release are we talking here? Also, isn't this only applicable to the hosts? How about testing the guests? I tried compiling the PoC that's available on various sites, but it always segfaults on hosts, no matter what. I haven't tried to run it on guests because I'm afraid it may crash the host. Has anyone tried that?
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.
Re: Venom Detector script
My understanding is that "venom" attacks the guests to ultimately attach the host (the physical host).
There again, I could be wrong....
There again, I could be wrong....