Be my guest, be my guest, at a hypervisor hacking fest

The Xen Project has posted advisories and patches for seven bugs, most of which let guests run denial-of-service (DoS) attacks on hosts.

CVE-2017-15592 means “A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a DoS affecting the entire host, or cause hypervisor memory corruption.” Privilege escalation is feasible, the advisory says.

The problem exists only on x86 architectures, when Hardware Virtual Machine (HVM) uses shadow paging mode.

The bug exists in all Xen versions, and has been patched. Systems using only paravirtualized (PV) guests aren't vulnerable.

CVE-2017-15594 is a privilege escalation / hypervisor crash bug in x86 systems. It arises out of an error in handling the Interrupt Descriptor Table when a new CPU is brought online.

In certain conditions, a new CPU can be given the wrong IDT fields, and if the first vCPU is a PV guest, it could exploit the vulnerability.

CVE-2017-15588 is an error in timestamp and guest translation lookaside buffer (TLB) flushing. It causes a race condition that could let the guest access all of system memory, resulting in the usual “privilege escalation, host crashes, and information leaks.”

ARM architectures suffer in CVE-2017-15596, an error path locking error that lets a guest admin block access to a physical CPU “for an indefinite period of time”.

Finishing off the list, are CVE-2017-15595 (denial of service, with possible privilege escalation), CVE-2017-15593 (an x86 guest could hose the host on shutdown because of a page type reference leak), and CVE-2017-15590 (hosing an entire x86 host because of a PCI MSI interrupt handling error). ®