Data Centre


Be my guest, be my guest, at a hypervisor hacking fest

Xen pins seven bugs to the card, all with guests doing nasty things to hosts

By Richard Chirgwin


The Xen Project has posted advisories and patches for seven bugs, most of which let guests run denial-of-service (DoS) attacks on hosts.

CVE-2017-15592 means “A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a DoS affecting the entire host, or cause hypervisor memory corruption.” Privilege escalation is feasible, the advisory says.

The problem exists only on x86 architectures, when Hardware Virtual Machine (HVM) uses shadow paging mode.

The bug exists in all Xen versions, and has been patched. Systems using only paravirtualized (PV) guests aren't vulnerable.

CVE-2017-15594 is a privilege escalation / hypervisor crash bug in x86 systems. It arises out of an error in handling the Interrupt Descriptor Table when a new CPU is brought online.

In certain conditions, a new CPU can be given the wrong IDT fields, and if the first vCPU is a PV guest, it could exploit the vulnerability.

CVE-2017-15588 is an error in timestamp and guest translation lookaside buffer (TLB) flushing. It causes a race condition that could let the guest access all of system memory, resulting in the usual “privilege escalation, host crashes, and information leaks.”

ARM architectures suffer in CVE-2017-15596, an error path locking error that lets a guest admin block access to a physical CPU “for an indefinite period of time”.

Finishing off the list, are CVE-2017-15595 (denial of service, with possible privilege escalation), CVE-2017-15593 (an x86 guest could hose the host on shutdown because of a page type reference leak), and CVE-2017-15590 (hosing an entire x86 host because of a PCI MSI interrupt handling error). ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Xen Project's plan after AWS goes KVM: Talk up embedded future

Update AWS changes its tune, multi-hypervisor plan is its future

Xen 4.11 debuts new ‘PVH’ guest type, for the sake of security

Take some paravirtualization, add hardware extensions and – voila – QEMU flies away

KVM plans big boosts to storage and nested virtualization

Project maintainer Paolo Bonzini details open source hypervisor's future directions

Secure microkernel in a KVM switch offers spy-grade app virtualization

CSIRO and Data61 have a way to get a few air-gapped apps on one screen

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

We've fro-Xen page to preserve evidence of NVMe servers and Xen's stay of execution

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

UPDATE Guest register states are readable, but the patch cavalry has arrived

Nested virtualization comes to Google's cloud

Not just for Inception fans: This is how you cloudify tricky-to-migrate workloads

Xen 4.11 is over a month late and its devs are mostly cool with that

Hardware hassles mean rc7 was needed, spark discussion about release cadence

Xen turns it up to 4.11 and shrinks itself to contain containers

New version turns Meltdown mitigation into a feature

AWS adopts home-brewed KVM as new hypervisor

Out with Xen, in with 'core KVM technology' for new C5 instances and future VMs too