Security Experts:

Several Flaws Patched in Xen Hypervisor

The Xen Project released on Thursday a total of nine advisories describing recently patched Xen hypervisor vulnerabilities.

The list of patched security holes includes a multicall issue that can be exploited by a malicious guest to crash a host (CVE-2015-7812), hypercall issues that can be leveraged to cause a denial-of-service (DoS) condition via repeated logging to the hypervisor console (CVE-2015-7813 and CVE-2015-7971), a race condition that can lead to a crash of the host (CVE-2015-7814), and a privilege escalation vulnerability (CVE-2015-7835).

The privilege escalation vulnerability is the most serious of the issues patched on this occasion. In fact, an advisory published by experts from Qubes OS, a security-oriented operating system designed for PCs, names it “probably the worst [flaw] we have seen affecting the Xen hypervisor, ever.” They believe the security bug might have been around for as many as 7 years.

According to the Xen Project, the vulnerability, related to “uncontrolled creation of large page mappings by PV guests,” can be exploited by malicious PV guest administrators to escalate privileges and gain control of the entire system.

The patches released on Thursday also resolve different flaws that are related to each other. For example, the same CVE identifier, CVE-2015-7969, has been assigned to two memory leak issues that can be exploited for DoS attacks.

Two other related DoS vulnerabilities are CVE-2015-7972, described in the XSA-150 advisory, and CVE-2015-7970, described in the XSA-153 advisory and discovered by the Xen Project’s security team during the analysis of CVE-2015-7972.

“When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain,” the Xen Project said in the description of the first bug. “This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest's address space.”

“The scan might be triggered by the guest's own actions, or by toolstack operations such as migration. In guests affected by XSA-153, this scan might be triggered simply by memory pressure in the guest,” the organization added.

Experts from Citrix, Alibaba, and SUSE have been credited for reporting these vulnerabilities.

Users are advised to apply the patches as soon as possible. Mitigations are also available for some of the issues.

While patches for these flaws were released to the public on Thursday, organizations on the Xen Project’s pre-disclosure list received the fixer earlier to give them time to patch before vulnerability details were disclosed. The pre-disclosure list includes public hosting providers, large-scale organizational Xen users, Xen-based system vendors, and distributors of operating systems with Xen support. Amazon, Google, Linode, Oracle, Rackspace, and several Linux distro developers are on the list.

*Updated with additional information on the privilege escalation vulnerability 

Related: Xen Patches Two QEMU Vulnerabilities

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.