Xen Hypervisor Patched for Privilege Escalation and Information Leak Flaws
The Xen Project has fixed five new vulnerabilities in the widely used Xen virtualization hypervisor. The flaws could allow attackers to break out of virtual machines and access sensitive information from host systems.
According to an analysis by the security team of Qubes OS, an operating system that relies on Xen for its security model, most of the vulnerabilities stem from the mechanism that’s used to share memory between domains. Under Xen, the host system and the virtual machines (guests) run in separate security domains.
The most severe vulnerability is located in the memory management code for paravirtualized (PV) VMs and allows for a guest to escalate its privilege to that of the host, therefore breaking the critical isolation layer between them. This vulnerability is tracked as CVE-2017-12137 and is covered in the Xen XSA-227 security advisory.
Xen supports two types of virtual machines: paravirtualized (PV), which use software-based virtualization through an API, and Hardware Virtual Machines (HVMs), which make use of the virtualization features baked directly into modern CPUs. Of the two, PV is considered the legacy mode and has been a constant source of serious privilege escalation flaws in Xen over the past few years.
In information security, privilege escalation vulnerabilities are security flaws that grant a user more rights or permissions than they should normally have. In the context of an operating system, this could mean a way to gain full administrative privileges (root) on the machine from a restricted user. In the context of hypervisors like Xen, it could mean breaking out of a virtual machine and gaining privileges on the host system, which would likely lead to the compromise of all virtual machines that share the same physical hardware.
A second vulnerability in the transitive grants mechanism tracked as CVE-2017-12135, could allow an attacker in control of a guest OS to crash Xen, leading to a denial-of-service condition. However, privilege escalation and information leaks cannot be ruled out, the Xen team said in an advisory.
Two other vulnerabilities patched in the recent release, CVE-2017-12136 and CVE-2017-12134, can also be exploited to crash Xen and might allow for privilege escalation. Of these, the latter is not actually in the Xen hypervisor itself, but in a Linux kernel mechanism that’s used to merge adjacent Xen-specific block IO requests. In addition to DoS and privilege escalation, this flaw could also lead to a leak of sensitive information.
Finally, the fifth fixed vulnerability, tracked as CVE-2017-12855, may lead a guest to use a memory frame granted by the host before it has been freed by another domain. This can also result in an information leak.
Xen is widely used in cloud hosting environments, but public and private, to set up virtual private servers. Multi-tenant data centers are usually at a greater risk of attacks so their owners are forced to reboot servers in order to apply Xen patches as soon as they come out. Some large hosting companies are notified by the Xen Project in advance so they can schedule maintenance windows.
Feature image via Pixabay.