Page 1 of 1

Venom Detector script

Posted: 2015/05/14 16:04:18
by jab2805
Hi all,


I have been looking for a venom script a can run on my servers to check if they are vulnerable!


All I have thus far is:

if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi

This was provided by rackspace.

I'm not sure if this works for Centos DOM0's running XEN or KVM.

Does any one in the community have a centos script?

Re: Venom Detector script

Posted: 2015/05/14 16:07:50
by TrevorH
I've run the dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l portion of that script on unpatched xen and kvm hosts and guests and all of them return 0 so I don't think it's working properly.

Re: Venom Detector script

Posted: 2015/05/14 18:13:20
by jab2805
OK that is bad. It Must be some thing that is related to rackspace servers...

Re: Venom Detector script

Posted: 2015/05/15 15:53:42
by aks
My understanding is that if you're using the reported vulnerable platforms, it's possible to be exploited because the virtual hardware's floppy is where the problem exists. Even if you don't have a floppy attached, the code still exists in the virtual hardware layer and could be executed (called).

Just my 2 cents worth...

Re: Venom Detector script

Posted: 2015/05/19 14:20:48
by jab2805
I'm using the below script to find system kvm that release number is lower then 448 ( CHECKKVM) , and CHECKXEN to detect xen host with the issue.

Code: Select all

#!/bin/bash 

CHECKVM()
{
release=`rpm -qa qemu-kvm  | tr "\." "\012" | grep [0-9][0-9][0-9]`

if [ $release -lt 448 ]
then 
     echo "vulnerable"
else 
      echo "Looks good"
fi
}

#Check XEN
CHECKXEN()
{ 

     if [ `dmesg | egrep -i 'xen|front' | grep 'HVM' | wc -l` -eq 0 ] ; then echo "PV Not Impacted" ; else echo "PVHVM vulnerable" ; fi
}


# check if its a kvm host 
lsmod  | grep -q kvm
if [ $? = 0 ]
then
      CHECKKVM
else
      CHECKXEN
fi

Re: Venom Detector script

Posted: 2015/05/22 07:12:21
by giulix63
Release of qemu-kvm on my fully patched 7.1 laptop is at 86. What release are we talking here? Also, isn't this only applicable to the hosts? How about testing the guests? I tried compiling the PoC that's available on various sites, but it always segfaults on hosts, no matter what. I haven't tried to run it on guests because I'm afraid it may crash the host. Has anyone tried that?

Re: Venom Detector script

Posted: 2015/05/22 19:01:09
by aks
My understanding is that "venom" attacks the guests to ultimately attach the host (the physical host).

There again, I could be wrong....