Xen hypervisor faces third highly critical VM escape bug in 10 months

The Xen paravirtualization mode is proving to be a constant source of serious vulnerabilities, allowing attackers to escape from virtual machines

The Xen Project has fixed three vulnerabilities in its widely used hypervisor that could allow operating systems running inside virtual machines to access the memory of the host systems, breaking the critical security layer among them.

Two of the patched vulnerabilities can only be exploited under certain conditions, which limits their use in potential attacks, but one is a highly reliable flaw that poses a serious threat to multitenant data centers where the customers' virtualized servers share the same underlying hardware.

The flaws don't yet have CVE tracking numbers, but are covered in three Xen security advisories called XSA-213, XSA-214 and XSA-215.

"XSA-213 is a fatal, reliably exploitable bug in Xen," said the security team of Qubes OS, an operating system that isolates applications inside Xen virtual machines. "In the nearly eight-year history of the Qubes OS project, we have become aware of four bugs of this calibre: XSA-148, XSA-182, XSA-212 and now XSA-213."

Of these four highly critical and easy to exploit vulnerabilities, three have been found and patched over the past 10 months and two over the past month -- XSA-182 was fixed in July 2016, XSA-212 in April and XSA-213 on Tuesday.

Another commonality is that all of them affected the Xen memory virtualization for paravirtualized (PV) VMs. Xen supports two types of virtual machines: Hardware Virtual Machines (HVMs), which use hardware-assisted virtualization, and paravirtualized VMs that use software-based virtualization.

The other two flaws patched Tuesday, XSA-214 and XSA-215, also affect paravirtualized VMs. The difference is that XSA-214 requires two malicious guest VMs to work together in order to access the system memory, while XSA-215 only affects "x86 systems with physical memory extending to a configuration dependent boundary of 5TB or 3.5TB."

One limitation for XSA-213 is that it can only be exploited from 64-bit PV guests, so systems running only HVM or 32-bit PV guests are not affected.

The Xen developers released patches for Xen 4.8.x, Xen 4.7.x, Xen 4.6.x and Xen 4.5.x that can be applied manually to affected systems.

The open-source Xen hypervisor is used by many cloud computing providers and virtual private server (VPS) hosting companies, some of which received the patches in advance and were forced to schedule maintenance downtimes.

For example, VPS provider Linode had to reboot some of its legacy Xen PV hosts in order to apply the fix and advised customers to move to its HVM-based servers to avoid future downtimes.

Meanwhile, Amazon Web Services said that its customers' data and instances were not affected by these vulnerabilities and no customer action was required.

The Qubes OS team, which prides itself on building one of the most secure desktop operating systems, has had enough of having to repeatedly deal with Xen PV vulnerabilities. That's why, over the past 10 months, it has put in extra work to switch the next version of the OS -- Qubes 4.0 -- to HVM.

"We originally hoped we could transition to running all Linux VMs in a so-called PVH mode of virtualization, where the I/O emulator is not needed at all, but it turned out the Linux kernel is not quite ready for this," the Qubes team said in an analysis of the latest Xen patches. "So, in Qubes 4.0, we will use the classic HVM mode, where the I/O emulator is sandboxed within... a PV VM (which is also the case when one runs Windows AppVMs on Qubes 3.x)."

The good news is that the groundwork is set to switch Qubes to PVH in the future when the Linux kernel adds the needed support, and even to replace Xen entirely with something else, if a better alternative comes along.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?