Security Experts:

Connect with us

Hi, what are you looking for?



Several Flaws Patched in Xen Hypervisor

The Xen Project released on Thursday a total of nine advisories describing recently patched Xen hypervisor vulnerabilities.

The Xen Project released on Thursday a total of nine advisories describing recently patched Xen hypervisor vulnerabilities.

The list of patched security holes includes a multicall issue that can be exploited by a malicious guest to crash a host (CVE-2015-7812), hypercall issues that can be leveraged to cause a denial-of-service (DoS) condition via repeated logging to the hypervisor console (CVE-2015-7813 and CVE-2015-7971), a race condition that can lead to a crash of the host (CVE-2015-7814), and a privilege escalation vulnerability (CVE-2015-7835).

The privilege escalation vulnerability is the most serious of the issues patched on this occasion. In fact, an advisory published by experts from Qubes OS, a security-oriented operating system designed for PCs, names it “probably the worst [flaw] we have seen affecting the Xen hypervisor, ever.” They believe the security bug might have been around for as many as 7 years.

According to the Xen Project, the vulnerability, related to “uncontrolled creation of large page mappings by PV guests,” can be exploited by malicious PV guest administrators to escalate privileges and gain control of the entire system.

The patches released on Thursday also resolve different flaws that are related to each other. For example, the same CVE identifier, CVE-2015-7969, has been assigned to two memory leak issues that can be exploited for DoS attacks.

Two other related DoS vulnerabilities are CVE-2015-7972, described in the XSA-150 advisory, and CVE-2015-7970, described in the XSA-153 advisory and discovered by the Xen Project’s security team during the analysis of CVE-2015-7972.

“When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain,” the Xen Project said in the description of the first bug. “This search runs without preemption. The guest can, by suitable arrangement of its memory contents, create a situation where this search is a time-consuming linear scan of the guest’s address space.”

“The scan might be triggered by the guest’s own actions, or by toolstack operations such as migration. In guests affected by XSA-153, this scan might be triggered simply by memory pressure in the guest,” the organization added.

Experts from Citrix, Alibaba, and SUSE have been credited for reporting these vulnerabilities.

Users are advised to apply the patches as soon as possible. Mitigations are also available for some of the issues.

While patches for these flaws were released to the public on Thursday, organizations on the Xen Project’s pre-disclosure list received the fixer earlier to give them time to patch before vulnerability details were disclosed. The pre-disclosure list includes public hosting providers, large-scale organizational Xen users, Xen-based system vendors, and distributors of operating systems with Xen support. Amazon, Google, Linode, Oracle, Rackspace, and several Linux distro developers are on the list.

*Updated with additional information on the privilege escalation vulnerability 

Related: Xen Patches Two QEMU Vulnerabilities

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...