New critical vulnerability XSA-212 reported in Xen hypervisor

AWS unaffected but users of Qubes OS are advised to update their systems

A new vulnerability has been discovered in the Xen hypervisor that could allow an attacker to access system memory from a paravirtualised machine.

The vulnerability, listed as XSA-212, could allow a malicious or buggy paravirualised (PV) guest VM to access the entire system memory, allowing for privilege escalation, host crashes and information leaks. All Xen versions are vulnerable but only x86 systems are affected; ARM systems are not at risk. The treat is limited to 64-bit PV guests: HVM guests and 32-bit PV guests can't exploit the vulnerability.

According to the advisory notice XSA-212 is the result of a failed fix, XSA-29, which "introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays".

A patch has been made available. Users of unpatched systems are advised to use 32-bit PV clients as these are not affected.

Xen is used by cloud services such as AWS and Rackspace, although Amazon has said that AWS users are not affected by this vulnerability.

One system that is affected is Qubes OS, the secure operating system that's built on Xen. The Qubes team has been mulling moving away from the Xen PV architecture for some time, owing to the number of critical bugs that have cropped up in the hypervisor.

Qubes has not been affected by the majority of reported issues in Xen, nevertheless lead developer Joanna Rutkowska has spoken of her wish to ditch Xen altogether, although she acknowledges this is not currently practical.

"While I'd love to ditch Xen and replace it with some more elegantly designed hypervisor or a microkernel, the reality is that this likely wouldn't work in practice - hardware compatibility issues would eat us alive," she told Computing last year.

Instead Qubes will move to a hardware virtual machine architecture for its next major release.

"This is another bug resulting from the overly-complex memory virtualisation required for PV in Xen," the team writes in its community blog.

"The upcoming Qubes OS 4.0 will no longer use PV. Instead, we will be switching to HVM-based virtualisation."

Andrew David Wong, community manager at Qubes, told Computing that the issue will not delay the release of Qubes 4.0.

Qubes users are advised that a fix will soon be forthcoming via a Qubes Dom0 update.

Xen has been beset by a number of bugs over the years, and recently (01 April) it's developers announced they would be refactoring the code from C to Rust and JavaScript.

"C, without doubt, is ridden with quirks and undefined behaviours," the post says. "Even the most experienced developers find this collection of powerful footguns difficult to use. We're glad that the development of programming languages in the last decade has given us an abundance of better choices."

The planned release date for the refactored Xen is April 1st, 2018, which along with the date of the blog post, and the tag 'April 1st' casts serious doubt on the veracity of the announcement.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!