Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Xen Hypervisor Vulnerability Exposed Virtualized Servers

A serious security vulnerability (CVE-2014-7188) affecting the open-source hypervisor Xen has forced Amazon, Rackspace and other cloud providers to reboot their systems in order to apply a patch.

A serious security vulnerability (CVE-2014-7188) affecting the open-source hypervisor Xen has forced Amazon, Rackspace and other cloud providers to reboot their systems in order to apply a patch.

The vulnerability, discovered by Jan Beulich of SUSE, affects Xen 4.1 and onward. However, only x86 systems are impacted (ARM systems are not), the Xen Project noted in a security advisory published on Wednesday.

The flaw can be leveraged by a malicious actor who owns a virtualized server to read data from other systems on the host server. An attacker could also exploit the vulnerability to cause the host to crash.

Xen Logo“The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad effect (they end up being no-ops), the read path would (attempt to) access memory beyond the single page set up for APIC emulation,” reads the advisory.

Hosting firm Rackspace rebooted its cloud systems over the weekend to apply the patch made available by the Xen Project. Rackspace notified its customers of the reboot, but didn’t mention anything about the Xen vulnerability to “avoid alerting cybercriminals.” There is no evidence that any data has been compromised due to the vulnerability, the company said.

Rackspace apologized to its customers for not warning them sooner about the reboot.

“This maintenance affected nearly a quarter of our 200,000-plus customers, and in the course of it, we dropped a few balls. Some of our reboots, for example, took much longer than they should. And some of our notifications were not as clear as they should have been. We are making changes to address those mistakes,” Taylor Rhodes, CEO and president of  Rackspace, said in a blog post.

Amazon, which had to reboot roughly 10 percent of its EC2 fleet, told its customers that the maintenance update was related to a Xen security announcement. However, it didn’t provide any details until after the patch was applied.

“Because our customers’ security is our top priority and because the issue was potentially harmful to our customers, we needed to take fast action to protect them. For the reasons mentioned above, we couldn’t be as expansive as we’d have liked on why we had to take such fast action,” Amazon Web Services Chief Evangelist Jeff Barr explained.

Hypervisor vulnerabilities are relatively rare, but as Bromium researcher Rafal Wojtczuk demonstrated at the recent Black Hat security conference, there are several weak spots that can be leveraged in attacks against hypervisors.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.