Articles about xen

Citrix

Citrix snuffs Xen and NetScaler brands

Citrix has rebranded most of its stuff. As The Register foreshadowed in January 2018, the company’s swept aside some old brands, although not with the “Citrix Plus” scheme we reported at the time. Instead we’re getting “Citrix [ProductName].” XenServer, for example, will become “Citrix Hypervisor”. XenApp and XenDesktop will …
Simon Sharwood, 14 May 2018
Nuclear radioactivity symbol

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

If you're not up-to-date with your Intel CPU Meltdown patches for Windows 7 or Server 2008 R2, get busy with that, because exploit code for Microsoft's own-goal flaw is available. Microsoft issued an update in late March after Swedish researcher Ulf Frisk turned up what he dubbed “Total Meltdown.” The bug Frisk found was that …
An eraser

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

Amazon Web Services has quietly edited its FAQ in which it revealed it has created a new KVM-based hypervisor and will use it instead of Xen for future instances. The webpage now contains no mention of the hypervisor. But Google's cached record of the page does. And in case AWS manages to get that scrubbed, we grabbed this …
Shutterstock: insects in museum display

Be my guest, be my guest, at a hypervisor hacking fest

The Xen Project has posted advisories and patches for seven bugs, most of which let guests run denial-of-service (DoS) attacks on hosts. CVE-2017-15592 means “A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a DoS affecting the entire host, or cause hypervisor memory corruption.” Privilege escalation …
Xen logos

Xen fixes guest privilege escape and plenty more

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation. Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege. It's down to a mistake in memory allocation when a PV guest is launched. …
Xen logos

Xen warns of nine embargo-worthy bugs

The Xen Project has announced nine – as in 3^2 – embargo-worthy bugs. Details of the problems, with fixes for all, will be revealed on June 20. Xen's security policy sees it announce the existence of bugs two weeks before it releases patches to the world. But detailed news of the bugs is revealed to big Xen users, which makes …
Xen logos

Qubes kicks Xen while it's down after finding 'fatal, reliably exploitable' bug

Qubes is once again regretting how long it's taken to abandon Xen's PV hypervisor, disclosing another three bugs including host escape vulnerabilities. The most serious bugs are in PV (paravirtualization) memory handling, XSA-213 and XSA-214. “An attacker who exploits either of these bugs can break Qubes-provided isolation. …
Shutterstock - Giant bug destroys ciy

Patch Qubes to prevent pwnage via Xen bug

Xen has a critical bug that means Qubes 3.1 and 3.2 need an immediate patch, for Xen packages between 4.6.4 and 4.6.26. A recent patch introduced the bug, which according to the advisory is an insufficient check on the XENMEM_exchange input, “allowing the caller to drive hypervisor memory accesses outside of the guest provided …
Man jumps out of window of burning building. Pic by Shutterstock

Xen bends own embargo rules to unbork risky Cirrus video emulation

The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention. It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one. The crashable component is a VGA driver, of all things – the default Cirrus video …
Swiss army knife in cloud

Virtualisation got boring in 2016, but the fun's about to start anew

END-OF-YEAR ROUND UP 2016 was a year in which virtualisation became so mainstream, so expected, so accepted that it started to look like a moribund market. But virtualisation's really only just getting started because storage virtualisation, network virtualisation and network function virtualisation are just getting started, while other uses for …
Simon Sharwood, 22 Dec 2016
Xen project logo

Qualcomm joins Xen Project Advisory Board

Qualcomm has joined the Xen Project's Advisory Board, the group of companies “committed to the market and technical success of the Xen Project” and who “provide financial support, technical contributions, and set high-level policy decisions.” And it's done so “to accelerate ARM-server and hyperscale cloud development, …
Simon Sharwood, 20 Dec 2016
Xen project logo

Xen 4.8 debuts, gives ARM servers vendors a reason to hope

A new version of the Xen Project's hypervisor has emerged blinking into the light. The Project reckons the best bit of version 4.8 is support for live patching of ARMv8-A CPUs, noting that such silicon is likely to appear in servers. And server users, of course, love anything that avoids operational disruptions. So Xen has …
Xen project hypervisor logo

Get patching: Xen bug blows hypervisor security to bits – literally

The Xen Project has issued eight security advisories for its open source hypervisor. XSA-195 is considered the most serious of the eight, as it could allow memory modification, resulting in arbitrary code execution, a crash of the host, or information exposure. According to the Xen Project, XSA-195 (CVE-2016-9383) is …
Thomas Claburn, 24 Nov 2016

Hypervisor security ero-Xen: How guest VMs can hijack host servers

Analysis The Xen project has today patched four security bugs in its open-source hypervisor – three potentially allowing guest virtual machines to take over their host servers. The other programming cockup allows a guest to crash the underlying machine. This is not great news for cloud providers or anyone else running untrusted VMs on …

Explo-Xen! Bunker buster bug breaks out guests from hypervisor

Code dive A super-bug in the Xen hypervisor may allow privileged code running in guests to escape to the underlying host. This means, on vulnerable systems, malicious administrators within virtual machines can potentially break out of their confines and start interfering with the host server and other guests. This could be really bad …
Chris Williams, 27 Jul 2016
Xen logos

Xen says new patch is 'simple and crude' and warns against using it

The Xen project has revealed a new bug, XSA-180, but warns its patch for the problem is itself problematic. The bug means that “When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen.” “This output is not rate-limited in any way. The guest can easily cause qemu to print …
Simon Sharwood, 24 May 2016
Xen project logo

Xen hypervisor to gain non-disruptive patching in June

The Xen Project will bring non-disruptive patching to its hypervisor, version 4.7 of which is set to debut onJune 3rd, 2016. That date may wobble a little, because the feature freeze scheduled for April 1st was put back a week in order to let contributors sort themselves out over Easter. But it's known that a sub-project …
Simon Sharwood, 28 Apr 2016
Xen project logo

New Xen maintenance release ends active version 4.4 development

Can it really be time to update Xen again? Yes it can, because the Xen Project has announced a new maintenance release, version 4.4.4, that ticks off a list of 70 fixes and improvements, plus another five qemu quirks. Xen's had a rough time of it lately, with several severe bugs demanding attention. A few security-related …
Simon Sharwood, 29 Jan 2016

Create a news alert about xen, or find more stories about xen.

Biting the hand that feeds IT © 1998–2018