Xen warns of new Venom-like vulnerability

A newly discovered flaw in the popular open source Xen virtualisation hypervisor layer has prompted the Xen Project to urge users to update from the vulnerable version 4.5 to version 4.5.1 as soon as possible.

Xen-o-morph.

According to the Xen Project security team, the XSA-135 flaw is a heap overflow in the Quick Emulator code for the PCNET network interface controller. 

By overlowing the heap, a guest who has access to an emulated PCNET network device can exploit the vulnerability to hijack the the QEMU process - which runs at elevated privileges in Xen - and take control of the host system.

The flaw follows the discovery of the Venom vulnerability in Xen in May this year, which was also traced back to QEMU. 

Venom allowed attackers to overflow data buffers in the virtual floppy disc drive code in QEMU and execute arbitrary code with elevated privileges, making it possible to escape virtual machine security contexts.

Apart from Xen, Linux KVM and native QEMU clients were all affected by Venom.

However, countermeasures against attacks on hardware emulation are relatively easy to defend against, security researcher Tamas Lengyel of Technical University of Munich, Germany, told iTnews after the Venom vulnerability struck.

A simple configuration change to restrict QEMU code to merely the virtual machine it provides emulation for, a feature called stub domains, is enough stop attackers from getting into the host system, Lengyel noted.

In its security advisory for XSA-135 earlier this month, the Xen Project security team noted that all systems running x86 hardware-assisted virtualisation (HVM) without stub domains are vulnerable to the flaw if the PCNET network interface is enabled.

However, including stub domains would come at the cost of slightly higher memory usage, which in turn would reduce the amount of virtual machines a provider could sell - acting as disincentive to enable the security feature.