A critical bug has been found in the Xen hypervisor that allows privilege escalation in a para-virtualised (PV) guest.
Xen is an open source hypervisor used by Amazon, Rackspace and IBM clouds, and is the basis of the Qubes OS secure operating system.
The vulnerability is codenamed XSA-182, and identified as CVE-2016-6258, and affects all versions of Xen. However, only PV guests on x86 hardware are at risk. Hardware virtual machine and ARM guests are not vulnerable.
The bug was discovered by Jérémie Boutoille of Quarkslab, and theoretically allows a malicious PV guest administrator to escalate their privilege to that of the host. This would break the isolation of the PV virtual machines running on Xen, allowing an attacker who breaks into one to gain access to others.
"The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only access/dirty bits). The bits considered safe were too broad, and not actually safe," said the Xen Security Advisory CVE-2016-6258.
A similar bug, XSA-148, was found in Xen last year and the recent vulnerability occurs in the same section of the code that implements PV memory virtualisation. XSA-148 had existed in the code for seven years before being discovered.
Joanna Rutkowska, a security researcher and creator of Qubes OS, has long criticised what she describes as a lax attitude to security among the Xen team. Rutkowska has so far been unable to exploit the bug in experiments, but warned that XSA-182 must be considered a serious, or "fatal", vulnerability.
"The mere fact we were unable to come up with an agreeable exploitation sketch within the last 24 hours should not be treated as a mitigation factor," she said in a post on GitHub.
"This bug, being the second critical bug in the Xen PV virtualisation code publicly discussed in a relatively short period of time, cannot simply be shrugged off, patched and forgotten.
"It begs for answers to critical questions, such as 1) has Xen been written by competent developers? 2) how many more bugs of this calibre are we going to witness in the future? 3) what can or should we do to protect against such gaping holes?"
Patches for the CVE-2016-6258 bug have been made available and can be downloaded from the Xen site.
Xen Project has provided a statement to say that vendors and cloud providers using Xen who are on the pre-disclosure list (which includes all the vendors mentioned in this article) were informed about the bug two weeks ago and will have had time to patch their servers during the embargo period and before details were made public.
"Xen Project follows industry-accepted best practices regarding software security," said chairperson Lars Kurth.
"This includes not discussing any details with security implications during our embargo period. This is to encourage anyone to report bugs they find to the Xen Project Security team.
"This also allows Xen Project security team to assess, respond and prepare updated software packages before public disclosure and broad compromise occurs."
Amazon issued a statement to say that cusomers are not affected by XSA-182:
"AWS customers' data and instances are not affected by this issue, and there is no customer action required," it said.
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago
A nuclear strike has been considered, but Bruce Willis is nowhere in sight
Spray-on antenna could enable seamless integration of antennas with everyday objects
Parker Solar Probe, TESS and GOLD missions will deliver exciting data, claims NASA