Data Centre

Virtualization

Xen fixes guest privilege escape and plenty more

Crashes, data leaks and foul corruption also fixed

By Richard Chirgwin

5 SHARE

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation.

Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege.

It's down to a mistake in memory allocation when a PV guest is launched. That process can use either a nominated linear address, or an “L1 pageable entry”, but in the second case, the L1 entry path isn't checked.

“This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted” – and a successful exploit could be used to get host privileges.

All versions of Xen are vulnerable if running untrusted PV guests on x86 architectures, and the issue has been patched.

There is also an issue with Xen's grant_table, here (pre-CVE) and here (CVE-2017-12855).

The bits that indicate a granted frame is in use (_GTF_ {read,write} can be cleared incorrectly, with a resulting possible information leak.

“A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant”, the advisory says.

The grant_table code also suffers a race condition, CVE-2017-12136, offering a path for a malicious guest administrator to crash the host.

What's called “transitive grands” in Xen is in the spotlight in CVE-2017-12135, with two bugs allowing a malicious (or buggy) guest to crash the system. Patches have been issued for all versions.

There's also a fix for a bug in Xen's block I/O “merge-ability” calculation, which opened a path to either data corruption or a data leak.

“The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device”, the advisory says.

If you need time to patch this one, disable block I/O merges on backend block devices. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Xen 4.11 debuts new ‘PVH’ guest type, for the sake of security

Take some paravirtualization, add hardware extensions and – voila – QEMU flies away

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

UPDATE Guest register states are readable, but the patch cavalry has arrived

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Xen 4.11 is over a month late and its devs are mostly cool with that

Hardware hassles mean rc7 was needed, spark discussion about release cadence

Countdown starts for new Xen hypervisor release

RC1 for Xen 4.10 is upon us, so get testing, hyper-hipsters

Xen Project says new version 4.10 has found balance between security and novelty

Splendid isolation for VMs, and a hand for ARM servers

Citrix snuffs Xen and NetScaler brands

Arise, ‘Citrix Hypervisor’ and ‘ Citrix SD-WAN’

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

Verizon commits to AWS after buying and selling its own cloud

Can anyone catch the big three (plus Oracle and IBM?)

Microsoft releases new containerised cut of Windows Server

When Nano Server or Server Core are too small, 'windows' will be in the Goldilocks zone