Xen patches critical guest privilege escalation bug

A freshly uncovered bug in the Xen virtualisation hypervisor could potentially allow guests to escalate their privileges until they have full control of the hosts they're running on.

The Xen hypervisor is used by cloud giants Amazon Web Services, IBM and Rackspace.

Inadequate security checks of how virtual machines access memory means a malicous, paravirtualised guest administrator can raise their system privileges to that of the host on unpatched installations, Xen said.

"The paravirtualisation pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases (eg. clearing only Access/Dirty bits)," Xen's security team said in its advisory for XSA 182.

"The bits considered safe were too broad, and not actually safe." 

If exploited, a malicious guest could obtain full access to not just the host system, but to other virtual machines running on it. All current versions of Xen are vulnerable to XSA 182.

Systems running full hardware assisted virtualisation are not vulnerable to the flaw, nor are ARM guests.

Qubes security researcher Joanna Rutkowska had harsh words for Xen's handling of the critical vulnerability, which she said is similar to the XSA 148 flaw discovered in 2015 that lay dormant in the hypervisor for seven years.

The second such critical Xen PV vulnerability discovered in a relatively short time "cannot simply be shrugged off, patched and forgotten," Rutkowska said. 

"Has Xen been written by competent developers? How many more bugs of this calibre are we going to witness in the future?" she asked.

While Rutkowska said the Qubes OS project (Qubes is a security-oriented operating system that uses virtualisation) had so far been unable to come up with a practical proof of concept to exploit XSA 182, the developers nevertheless decided to treat the flaw as a critical bug.

Thanks to XSA 182, the Qubes OS will move to full hardware memory virtualisation (HVM) in its next 4.0 release.

Qubes has considered changing to another hypervisor as developers are disappointed in Xen's security process, but have so far not found a good alternative to the hardware virtualisation layer.