Xen Project plugs critical host hijacking flaw, patch ASAP
The latest security update (XSA-145 through 153) for the popular Xen virtualization software fixes nine issues.
Eight of them can lead to Denial of Service, but the ninth is much more serious than that, and could be exploited by a malicious para-virtualized guest administrator to escalate privilege and gain control of the whole system.
For those interested, a rundown of the vulnerability can be found in this post by a Qubes OS project contributor.
The flaw, discovered and reported by an Alibaba employee, was apparently introduced in late 2008, when support for superpages was added.
“It is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work,” the developer commented.
Specifically, it worries us that, in the last 7 years (i.e. all the time when the bug was sitting there having a good time) so much engineering and development effort has been put into adding all sorts of new features and whatnots, yet no serious effort to improve Xen security effectively,” he noted. “Bugs in Xen are being found regularly, and this is no good news. For a type-1 hypervisor of the age and maturity of Xen, this simply should not be happening. If it does, it suggests the development process is not prioritizing security.”
The vulnerability affects Xen version 3.4 and onward, but only x86 systems, and not ARM ones.
According to Dan Goodin, Xen Project managers disclosed the vulnerability and provided patches for it to a number of cloud services weeks ago. “That means Amazon and many other cloud services have already patched the vulnerability. It would also explain why some services have recently required customers to restart their guest operating systems,” he commented.