'Critical' bug found in Xen hypervisor

XSA-182 could allow an attacker to take control of all para-virtualised virtual machines running on Xen

A bug has been found in the Xen hypervisor that allows privilege escalation in a para-virtualised (PV) guest. Xen is an open-source hypervisor used by Amazon, Rackspace and IBM clouds and which is also the basis of the Qubes OS secure operating system.

Codenamed XSA-182 and identified as CVE-2016-6258, the vulnerability affects all versions of Xen but only PV guests on x86 hardware are at risk. Hardware virtual machine (HVM) and ARM guests are not vulnerable.

The bug, which was discovered by Jérémie Boutoille of Quarkslab, theoretically allows a malicious PV guest administrator to escalate their privilege to that of the host. This would break the isolation of the PV virtual machines running on Xen, allowing an attacker who succeeds in breaking into one to gain access to others too.

In an advisory on its website the Xen developers explain the issue:

"The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only access/dirty bits)," they write. "The bits considered safe were too broad, and not actually safe."

Last year a similar bug, XSA-148, was found in Xen. Indeed the newly found vulnerability occurs in the same section of the code as XSA-148, the part that implements PV memory virtualisation. XSA-148 had existed in the code for seven years before being discovered.

Security researcher and creator of Qubes OS, Joanna Rutkowska, has long been critical of what she has described as a lax attitude to security among the Xen team. While so far unable to exploit the bug in experiments, Rutkowska said XSA-182 must be considered a serious or "fatal" vulnerability.

"The mere fact we were unable to come up with an agreeable exploitation sketch within the last 24 hours should not be treated as a mitigation factor," she writes.

"This bug, being the second critical bug in the Xen PV virtualisation code publicly discussed in a relatively short period of time, cannot simply be shrugged off, patched, and forgotten.

"It begs for answers to critical questions, such as: 1) has Xen been written by competent developers? 2) how many more bugs of this calibre are we going to witness in the future? 3) what can or should we do to protect against such gaping holes?"

Xen sent Computing a statement to say that vendors and cloud providers using Xen who signed up for notification (which includes all of the vendors mentioned here) were informed about the bug two weeks ago and will have had time to patch their servers during the embargo period.

"Xen Project follows industry-accepted best practices regarding software security," said chairperson Lars Kurth.

"This includes not discussing any details with security implications during our embargo period. This is to encourage anyone to report bugs they find to the Xen Project Security team. This also allows Xen Project security team to assess, respond and prepare updated software packages before public disclosure and broad compromise occurs."

Patches for CVE-2016-6258 can be downloaded from the Xen site.