Xen Project patches serious virtual machine escape flaws

The updates fix a total of four flaws, two allowing privilege escalation from guest VMs to the host

The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies like Linode, which had to reboot some of its servers over the past few days to apply the new patches.

The Xen updates, which were shared with partners in advance, were released publicly Thursday along with accompanying security advisories.

One vulnerability identified as CVE-2016-7093 affects Hardware Virtual Machines (HVMs) which use hardware-assisted virtualization. It allows an administrator of a guest OS to escalate their privilege to that of the host.

The vulnerability affects Xen versions 4.7.0 and later, as well as Xen releases 4.6.3 and 4.5.3 but only those deployments with HVM guests running on x86 hardware.

Another privilege escalation flaw identified as CVE-2016-7092 affects the other type of virtual machines supported by Xen: paravirtualized (PV) VMs. The vulnerability affects all Xen versions and allows administrators of 32-bit PV guests to gain privileges on the host.

The two other patched vulnerabilities, CVE-2016-7154 and CVE-2016-7094, can be exploited by guest administrators to cause denial-of-service conditions on the host. In the case of CVE-2016-7154, which only affects Xen 4.4, remote code execution and privilege escalation cannot be excluded, the Xen Project said in an advisory.

Meanwhile, CVE-2016-7094 affects all versions of Xen but only deployments hosting HVM guests on x86 hardware that are configured to run with shadow paging.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place