A critical
vulnerability in the popular Xen hypervisor allows attackers
to gain access to the memory of a host system running a virtual machine. Such a hacking of the hypervisor security system can pose a threat, for example, to data centers in which the virtual infrastructure of different clients runs on the same hardware.
What is the problem
The Xen open-source hypervisor is used by cloud service providers and hosting providers, and is also used by some developers of secure operating systems, such as Qubes OS.
')
The discovered vulnerability affects Xen versions 4.8.x, 4.7.x, 4.6.x, 4.5.x and 4.4.x - it has been present in the product code for more than four years. A code error occurred in December 2012 as a result of making corrections for another problem.
Using this vulnerability, attackers who have access to the guest operating system can “read” the memory of the entire host machine.
How to protect
Team Xen Project on Tuesday, April 4, released a patch - it must be applied to vulnerable systems manually. Xen supports two types of virtual machines: hardware (hardware virtual machines, HVMs) and
paravirtualized (PV). The described vulnerability can be exploited only from 64-bit paravirtualized guest systems.
Thus, not all users of service providers and hosting providers using Xen were at risk. For example, the administration of Amazon Web Services
reported that service customers, its data centers and virtual machines are not affected by the vulnerability, so users should not take any additional action. At the same time, the Linode virtual infrastructure provider
had to restart several of its legacy servers running with Xen to eliminate the error.
The developers of Qubes OS, in which Xen is used to isolate applications inside virtual machines, have
published a security bulletin. It reports that exploiting a Xen vulnerability in combination with exploiting other security errors (for example, in a browser) may result in the compromise of the entire Qubes system. As a result, a patch was released for Qubes 3.1 and 3.2 systems, in addition, the project team plans to stop using para-virtualization in the next release of Qubes 4.0.
This is not the first case in which virtualization systems find vulnerabilities that allow attackers to leave the isolated zone of virtual machines and get into the host system. For example, in the fall of 2016, information security specialists
discovered a vulnerability in VMware products that allows an attacker to gain access to a virtual machine and execute code on a host system.