EX and QFX Series devices with virtualization support; specifically EX4600, QFX5100, and QFX10002.
In products utilizing virtualization technologies, a buffer overflow vulnerability in QEMU component of the KVM/QEMU and Xen hypervisors may allow privileged guest users such as an administrative user in a virtual machine to crash the guest OS. This issue may potentially allow execution of arbitrary code on the host OS. If an untrusted VM is being run it may lead to complete compromise of the host machine and other VMs.
This vulnerability is named 'VENOM' and assigned
CVE-2015-3456.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability on Juniper products.
The following Juniper products make use of affected virtualization technologies:
- EX Series device EX4600
- QFX Series devices QFX5100 and QFX10002
The following Juniper products are not vulnerable:
- EX and QFX series devices not listed above are not vulnerable.
- Virtual Route Reflector is not vulnerable.
- QFabric Director is not vulnerable.
- Junos Space is not vulnerable: While Junos Space includes a vulnerable version of QEMU, it does not permit root access in a guest OS and hence not impacted by this issue. QEMU will be updated in the next possible release as a precaution.
Products that do not include any virtualization technologies like SRX Series and ScreenOS are not affected by this vulnerability.
Since successful exploitation requires root privileges in a virtual machine, restricting administrative access to virtual machines to trusted administrators and not running untrusted virtual machines should help in reducing the risks of exploitation of this issue.
Modification History:
2015-07-08: Initial publication
2019-12-17: Added reference to problem report (PR)
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."