A critical bug has been found in the Xen hypervisor that allows privilege escalation in a para-virtualised (PV) guest.
Xen is an open source hypervisor used by Amazon, Rackspace and IBM clouds, and is the basis of the Qubes OS secure operating system.
The vulnerability is codenamed XSA-182, and identified as CVE-2016-6258, and affects all versions of Xen. However, only PV guests on x86 hardware are at risk. Hardware virtual machine and ARM guests are not vulnerable.
The bug was discovered by Jérémie Boutoille of Quarkslab, and theoretically allows a malicious PV guest administrator to escalate their privilege to that of the host. This would break the isolation of the PV virtual machines running on Xen, allowing an attacker who breaks into one to gain access to others.
"The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only access/dirty bits). The bits considered safe were too broad, and not actually safe," said the Xen Security Advisory CVE-2016-6258.
A similar bug, XSA-148, was found in Xen last year and the recent vulnerability occurs in the same section of the code that implements PV memory virtualisation. XSA-148 had existed in the code for seven years before being discovered.
Joanna Rutkowska, a security researcher and creator of Qubes OS, has long criticised what she describes as a lax attitude to security among the Xen team. Rutkowska has so far been unable to exploit the bug in experiments, but warned that XSA-182 must be considered a serious, or "fatal", vulnerability.
"The mere fact we were unable to come up with an agreeable exploitation sketch within the last 24 hours should not be treated as a mitigation factor," she said in a post on GitHub.
"This bug, being the second critical bug in the Xen PV virtualisation code publicly discussed in a relatively short period of time, cannot simply be shrugged off, patched and forgotten.
"It begs for answers to critical questions, such as 1) has Xen been written by competent developers? 2) how many more bugs of this calibre are we going to witness in the future? 3) what can or should we do to protect against such gaping holes?"
Patches for the CVE-2016-6258 bug have been made available and can be downloaded from the Xen site.
Xen Project has provided a statement to say that vendors and cloud providers using Xen who are on the pre-disclosure list (which includes all the vendors mentioned in this article) were informed about the bug two weeks ago and will have had time to patch their servers during the embargo period and before details were made public.
"Xen Project follows industry-accepted best practices regarding software security," said chairperson Lars Kurth.
"This includes not discussing any details with security implications during our embargo period. This is to encourage anyone to report bugs they find to the Xen Project Security team.
"This also allows Xen Project security team to assess, respond and prepare updated software packages before public disclosure and broad compromise occurs."
Amazon issued a statement to say that cusomers are not affected by XSA-182:
"AWS customers' data and instances are not affected by this issue, and there is no customer action required," it said.
Vendors should focus on the benefits of strong security, rather than the fear and uncertainty from not having it
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics