Xen fixes guest privilege escape and plenty more

Crashes, data leaks and foul corruption also fixed

By Richard Chirgwin

Posted in Virtualization, 16th August 2017 07:33 GMT

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation.

Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege.

It's down to a mistake in memory allocation when a PV guest is launched. That process can use either a nominated linear address, or an “L1 pageable entry”, but in the second case, the L1 entry path isn't checked.

“This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted” – and a successful exploit could be used to get host privileges.

All versions of Xen are vulnerable if running untrusted PV guests on x86 architectures, and the issue has been patched.

There is also an issue with Xen's grant_table, here (pre-CVE) and here (CVE-2017-12855).

The bits that indicate a granted frame is in use (_GTF_ {read,write} can be cleared incorrectly, with a resulting possible information leak.

“A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant”, the advisory says.

The grant_table code also suffers a race condition, CVE-2017-12136, offering a path for a malicious guest administrator to crash the host.

What's called “transitive grands” in Xen is in the spotlight in CVE-2017-12135, with two bugs allowing a malicious (or buggy) guest to crash the system. Patches have been issued for all versions.

There's also a fix for a bug in Xen's block I/O “merge-ability” calculation, which opened a path to either data corruption or a data leak.

“The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stream to/from the block device”, the advisory says.

If you need time to patch this one, disable block I/O merges on backend block devices. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Xen Project says new version 4.10 has found balance between security and novelty

Splendid isolation for VMs, and a hand for ARM servers

Countdown starts for new Xen hypervisor release

RC1 for Xen 4.10 is upon us, so get testing, hyper-hipsters

Citrix snuffs Xen and NetScaler brands

Arise, ‘Citrix Hypervisor’ and ‘ Citrix SD-WAN’

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

Verizon commits to AWS after buying and selling its own cloud

Can anyone catch the big three (plus Oracle and IBM?)

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

If at first you don't succeed, you're Redmond

Xen turns it up to 4.11 and shrinks itself to contain containers

New version turns Meltdown mitigation into a feature

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Colt, Verizon show off inter-carrier SDN

Care for some extra bandwidth? Just turn the knob

Xen warns of nine embargo-worthy bugs

We won't know what they are for a fortnight, but clouds are warning of VM reboots