XEN, THE HYPERVISOR used by cloud behemoths AWS and Rackspace, has announced a glitch that could allow an attacker to access system memory from a paravirtualised machine.
In an advisory notice, Xen admits that the newly discovered bug, XSA-212, is the result of a previous fix dubbed XSA-29 which "introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays".
This could allow a malicious or buggy paravirualised (PV) guest VM to access the entire system memory, allowing for privilege escalation, host crashes and information leaks. All Xen versions are vulnerable but only x86 systems are affected; ARM systems are not at risk. The treat is limited to 64-bit PV guests: HVM guests and 32-bit PV guests can't exploit the vulnerability.
Fortunately for AWS users, Amazon has said that its cloud platform is not affected by this vulnerability.
However, one system that is affected is Qubes OS, the secure operating system that's built on Xen. The Qubes team has been mulling moving away from the Xen PV architecture for some time, owing to the number of critical bugs that have cropped up in the hypervisor.
Qubes will move to a hardware virtual machine (HVM) architecture for its next major release, 4.0.
"This is another bug resulting from the overly-complex memory virtualisation required for PV in Xen," a Qubes community blog post said.
"The upcoming Qubes OS 4.0 will no longer use PV. Instead, we will be switching to HVM-based virtualisation."
Current Qubes users are advised that a fix for the bug will soon be forthcoming via a Qubes Dom0 update. Meanwhile, for other Xen users a patch has been made available.
"C, without doubt, is ridden with quirks and undefined behaviours," the post said.
"Even the most experienced developers find this collection of powerful footguns difficult to use. We're glad that the development of programming languages in the last decade has given us an abundance of better choices."
Xen chose to make this announcement on 1 April with the planned release date for the rewritten code given as April 1st, 2018, leading some on Twitter to doubt the veracity of the notice.
Seems like an odd April Fool to us, but never underestimate the strangeness of dev-humour. μ
Join INQ's sister site Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
'Ah - yes - we're ignoring your wishes for a reason there, leave it alone'
And, er, not much else
To serve, protect, and get incredibly hot and dusty
Symantec links attack to prolific Lazarus hacking group