Menu
Xen patches new virtual-machine escape vulnerability

Xen patches new virtual-machine escape vulnerability

The flaw affects virtualization systems that use QEMU to emulate CD-ROM drives

Illustration of security online

Illustration of security online

A new vulnerability in emulation code used by the Xen virtualization software can allow attackers to bypass the critical security barrier between virtual machines and the host operating systems they run on.

The vulnerability is located in the CD-ROM drive emulation feature of QEMU, an open source hardware emulator that's used by Xen, KVM and other virtualization platforms. The flaw is tracked as CVE-2015-5154 in the Common Vulnerabilities and Exposures database.

The Xen Project released patches for its supported releases Monday and noted that all Xen systems running x86 HVM guests without stubdomains and which have been configured with an emulated CD-ROM drive model are vulnerable.

Successful exploitation can allow a user with access to a guest OS to take over the QEMU process and execute code on the host OS. That violates one of the primary safeguards of virtual machines that is designed to protect the host OS from the actions of a guest.

Fortunately, Xen-based virtualization systems that are not configured to emulate a CD-ROM drive inside the guest OS are not affected, which will probably be the case for most data centers.

The vulnerability is similar to another one reported in May in QEMU's floppy drive emulation code. However, that flaw, which was dubbed Venom, was more serious because the vulnerable code remained active even if the administrator disabled the virtual floppy drive for a virtual machine.

Multiple Linux distributions, including Red Hat Enterprise Linux 7 and SUSE Linux Enterprise 12 received patches for QEMU, KVM or Xen.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags patchesExploits / vulnerabilitiesxen project

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments