Vulnerability of the Xen hypervisor allows access to host memory from a virtual machine

A critical vulnerability in the popular Xen hypervisor allows attackers to gain access to the memory of a host system running a virtual machine. Such a hacking of the hypervisor security system can pose a threat, for example, to data centers in which the virtual infrastructure of different clients runs on the same hardware.

What is the problem

The Xen open-source hypervisor is used by cloud service providers and hosting providers, and is also used by some developers of secure operating systems, such as Qubes OS.

')

The discovered vulnerability affects Xen versions 4.8.x, 4.7.x, 4.6.x, 4.5.x and 4.4.x - it has been present in the product code for more than four years. A code error occurred in December 2012 as a result of making corrections for another problem.



Using this vulnerability, attackers who have access to the guest operating system can “read” the memory of the entire host machine.

How to protect

Team Xen Project on Tuesday, April 4, released a patch - it must be applied to vulnerable systems manually. Xen supports two types of virtual machines: hardware (hardware virtual machines, HVMs) and paravirtualized (PV). The described vulnerability can be exploited only from 64-bit paravirtualized guest systems.



Thus, not all users of service providers and hosting providers using Xen were at risk. For example, the administration of Amazon Web Services reported that service customers, its data centers and virtual machines are not affected by the vulnerability, so users should not take any additional action. At the same time, the Linode virtual infrastructure provider had to restart several of its legacy servers running with Xen to eliminate the error.



The developers of Qubes OS, in which Xen is used to isolate applications inside virtual machines, have published a security bulletin. It reports that exploiting a Xen vulnerability in combination with exploiting other security errors (for example, in a browser) may result in the compromise of the entire Qubes system. As a result, a patch was released for Qubes 3.1 and 3.2 systems, in addition, the project team plans to stop using para-virtualization in the next release of Qubes 4.0.



This is not the first case in which virtualization systems find vulnerabilities that allow attackers to leave the isolated zone of virtual machines and get into the host system. For example, in the fall of 2016, information security specialists discovered a vulnerability in VMware products that allows an attacker to gain access to a virtual machine and execute code on a host system.