The Xen Project has fixed serious vulnerabilities in its widely used hypervisor software this week, forcing virtual server operators to schedule maintenance downtime to apply patches and reboot the affected systems.
If left unpatched, the vulnerabilities could be exploited from within guest operating systems to crash the hypervisor, extract sensitive information from the host OS or other guests or to escape from the virtual machine and gain the same privileges as the hypervisor — in other words, get full control over everything.
Even though many of the critical vulnerabilities patched in Xen in recent months have only affected Xen-based virtual machines that use paravirtualization (PV), some of the flaws fixed in this security release also affect Hardware Virtual Machines (HVMs). PV VMs use software-based virtualization through an API, while HVMs use hardware-assisted virtualization that can better take advantage of certain features of modern hardware.
The flaws patched this week have not yet received Common Vulnerabilities and Exposures (CVE) IDs yet, but they are described in Xen security advisories XSA-216 to XSA-225. The good news is that most of them are not easy to exploit in practice due to certain requirements or limitations, according to an analysis by the security team of Qubes OS.
Qubes OS is a security-oriented desktop operating system that uses Xen to isolate applications inside virtual machines. Because Xen sits at the core of the operating system’s security model, any vulnerability in the hypervisor is a potential security risk for Qubes itself and gets assessed by its developers.
“Each [flaw] requires either some race condition to win (XSA 217, 218, 219), control over more than one VM (XSA 218, 219), some memory allocation, which is normally beyond attacker’s control, to fail or happen in some specific way (XSA 216, 217, 218, 219, 222), or a combination of these,” the Qubes OS team said in its analysis. “Additionally, some bugs are believed to be limited to being leaks or DoS [denial-of-service] only (XSA 216, 221), or affecting only intra-VM-security (XSA 220).”
This doesn’t mean that the flaws should be ignored and left unpatched. Qubes is a desktop-oriented OS and while some of the exploitation requirements might be hard to meet on Qubes, things might be different for a multitenant data center with multiple virtual private servers running on the same hypervisor.
For example, cloud hosting provider Linode had to reboot some of its legacy Xen host servers so it could apply the patches. The company advised customers to move to its KVM (Kernel-based Virtual Machine) servers to avoid being impacted in the future.
Amazon Web Services said in an advisory that its customers’ data and instances were not affected by these Xen security issues and patches.
Feature image via Pixabay.