Menu
Xen Project patches serious virtual machine escape flaws

Xen Project patches serious virtual machine escape flaws

The updates fix a total of four flaws, two allowing privilege escalation from guest VMs to the host

The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies like Linode, which had to reboot some of its servers over the past few days to apply the new patches.

The Xen updates, which were shared with partners in advance, were released publicly Thursday along with accompanying security advisories.

One vulnerability identified as CVE-2016-7093 affects Hardware Virtual Machines (HVMs) which use hardware-assisted virtualization. It allows an administrator of a guest OS to escalate their privilege to that of the host.

The vulnerability affects Xen versions 4.7.0 and later, as well as Xen releases 4.6.3 and 4.5.3 but only those deployments with HVM guests running on x86 hardware.

Another privilege escalation flaw identified as CVE-2016-7092 affects the other type of virtual machines supported by Xen: paravirtualized (PV) VMs. The vulnerability affects all Xen versions and allows administrators of 32-bit PV guests to gain privileges on the host.

The two other patched vulnerabilities, CVE-2016-7154 and CVE-2016-7094, can be exploited by guest administrators to cause denial-of-service conditions on the host. In the case of CVE-2016-7154, which only affects Xen 4.4, remote code execution and privilege escalation cannot be excluded, the Xen Project said in an advisory.

Meanwhile, CVE-2016-7094 affects all versions of Xen but only deployments hosting HVM guests on x86 hardware that are configured to run with shadow paging.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments