Be my guest, be my guest, at a hypervisor hacking fest

Xen pins seven bugs to the card, all with guests doing nasty things to hosts

By Richard Chirgwin

Posted in Virtualization, 19th October 2017 02:15 GMT

The Xen Project has posted advisories and patches for seven bugs, most of which let guests run denial-of-service (DoS) attacks on hosts.

CVE-2017-15592 means “A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a DoS affecting the entire host, or cause hypervisor memory corruption.” Privilege escalation is feasible, the advisory says.

The problem exists only on x86 architectures, when Hardware Virtual Machine (HVM) uses shadow paging mode.

The bug exists in all Xen versions, and has been patched. Systems using only paravirtualized (PV) guests aren't vulnerable.

CVE-2017-15594 is a privilege escalation / hypervisor crash bug in x86 systems. It arises out of an error in handling the Interrupt Descriptor Table when a new CPU is brought online.

In certain conditions, a new CPU can be given the wrong IDT fields, and if the first vCPU is a PV guest, it could exploit the vulnerability.

CVE-2017-15588 is an error in timestamp and guest translation lookaside buffer (TLB) flushing. It causes a race condition that could let the guest access all of system memory, resulting in the usual “privilege escalation, host crashes, and information leaks.”

ARM architectures suffer in CVE-2017-15596, an error path locking error that lets a guest admin block access to a physical CPU “for an indefinite period of time”.

Finishing off the list, are CVE-2017-15595 (denial of service, with possible privilege escalation), CVE-2017-15593 (an x86 guest could hose the host on shutdown because of a page type reference leak), and CVE-2017-15590 (hosing an entire x86 host because of a PCI MSI interrupt handling error). ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Xen Project's plan after AWS goes KVM: Talk up embedded future

Update AWS changes its tune, multi-hypervisor plan is its future

KVM plans big boosts to storage and nested virtualization

Project maintainer Paolo Bonzini details open source hypervisor's future directions

Secure microkernel in a KVM switch offers spy-grade app virtualization

CSIRO and Data61 have a way to get a few air-gapped apps on one screen

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

We've fro-Xen page to preserve evidence of NVMe servers and Xen's stay of execution

Nested virtualization comes to Google's cloud

Not just for Inception fans: This is how you cloudify tricky-to-migrate workloads

AWS adopts home-brewed KVM as new hypervisor

Out with Xen, in with 'core KVM technology' for new C5 instances and future VMs too

Countdown starts for new Xen hypervisor release

RC1 for Xen 4.10 is upon us, so get testing, hyper-hipsters

Xen warns of nine embargo-worthy bugs

We won't know what they are for a fortnight, but clouds are warning of VM reboots

Citrix reveals full Xen combo will be cheaper than Xen lite for Azure

XenApp Essentials pricing revealed

Developer plots server virtualization comeback for XenServer

Plans open source revival of XCP, to go places Citrix won’t