Xen reports new guest-host escape, this time through CD-ROMs

The Xen Project has reported another guest/host escape bug, its third for the year including the VENOM vuln and the XSA-135 SNAFU.

The new vuln glories in the name XSA-138, aka CVE-2015-5154 and means “An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.”

“All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable,” the advisory about the bug says.

The good news is that you can fix the flaw by “Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration”. Or you can enable stubdomains.

But there's also bad new: Red Hat says RHEL 7 users will need to patch, but RHEL 5 and 6 users are in the clear. SUSE's also listed vulnerable products and remediation actions, as has Debian.

This bug may not be a massive hassle for cloud operators, as such users are unlikely to have bothered with emulated CD-ROMs in the slimmed-down VMs they generally prefer. For the rest of us, it'll be worth checking if we left the deprecated drives in VMs and then applying your preferred distro's remedies. All urge doing so swiftly. ®