Menu
Critical Xen hypervisor flaw endangers virtualized environments

Critical Xen hypervisor flaw endangers virtualized environments

The vulnerability allows attackers with access to a guest OS to read the host's memory

A critical vulnerability in the widely used Xen hypervisor allows attackers to break out of a guest operating system running inside a virtual machine and access the host system's entire memory.

This is a serious violation of the security barrier enforced by the hypervisor and poses a particular threat to multi-tenant data centers where the customers' virtualized servers share the same underlying hardware.

The open-source Xen hypervisor is used by cloud computing providers and virtual private server hosting companies, as well as by security-oriented operating systems like Qubes OS.

The new vulnerability affects Xen 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x and has existed in the Xen code base for over four years. It was unintentionally introduced in December 2012 as part of a fix for a different issue.

The Xen project released a patch Tuesday that can be applied manually to vulnerable deployments. The good news is that the vulnerability can only be exploited from 64-bit paravirtualized guest operating systems.

Xen supports two types of virtual machines: Hardware Virtual Machines (HVMs), which use hardware-assisted virtualization, and paravirtualized (PV) VMs that use software-based virtualization. Based on whether they use PV VMs, Xen users might be affected or not.

For example, Amazon Web Services said in an advisory that its customers' data and instances were not affected by this vulnerability and no customer action is required. Meanwhile, virtual private server provider Linode had to reboot some of its legacy Xen servers in order to apply the fix.

Qubes OS, an operating system that uses Xen to isolate applications inside virtual machines, also put out an advisory warning that an attacker who exploits another vulnerability, for example inside a browser, can exploit this Xen issue to compromise the whole Qubes system.

The Qubes developers have released a patched Xen package for Qubes 3.1 and 3.2 and reiterated their intention to stop using paravirtualization altogether in the upcoming Qubes 4.0.

Vulnerabilities that allow breaking the isolation layer of virtual machines can be very valuable for attackers. The recent Pwn2Own hacking contest offered a $100,000 reward for virtual machine escapes in VMware Workstation or Microsoft Hyper-V. Exploit acquisition firm Zerodium offers up to $50,000 for such an exploit.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

The channel came together for the inaugural Reseller News Emerging Leaders Forum in New Zealand, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry. Hosted as a half day event, attendees heard from industry champions as keynoters and panelists talked about future opportunities and leadership paths and joined mentoring sessions with members of the ICT industry Hall of Fame. The forum concluded with 30 Under 30 Tech Awards across areas of Sales, Entrepreneur, Marketing, Management, Technical and Human Resources. Photos by Gino Demeer.

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019
Show Comments