Menu
Xen Project patches serious virtual machine escape flaws

Xen Project patches serious virtual machine escape flaws

The updates fix a total of four flaws, two allowing privilege escalation from guest VMs to the host

The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies like Linode, which had to reboot some of its servers over the past few days to apply the new patches.

The Xen updates, which were shared with partners in advance, were released publicly Thursday along with accompanying security advisories.

One vulnerability identified as CVE-2016-7093 affects Hardware Virtual Machines (HVMs) which use hardware-assisted virtualization. It allows an administrator of a guest OS to escalate their privilege to that of the host.

The vulnerability affects Xen versions 4.7.0 and later, as well as Xen releases 4.6.3 and 4.5.3 but only those deployments with HVM guests running on x86 hardware.

Another privilege escalation flaw identified as CVE-2016-7092 affects the other type of virtual machines supported by Xen: paravirtualized (PV) VMs. The vulnerability affects all Xen versions and allows administrators of 32-bit PV guests to gain privileges on the host.

The two other patched vulnerabilities, CVE-2016-7154 and CVE-2016-7094, can be exploited by guest administrators to cause denial-of-service conditions on the host. In the case of CVE-2016-7154, which only affects Xen 4.4, remote code execution and privilege escalation cannot be excluded, the Xen Project said in an advisory.

Meanwhile, CVE-2016-7094 affects all versions of Xen but only deployments hosting HVM guests on x86 hardware that are configured to run with shadow paging.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments