WavebreakmediaMicro - Fotolia

Xen hypervisor security flaw patched after seven years

A critical Xen hypervisor security flaw that allows attackers to access host operating systems and had gone undiscovered for several years was finally patched this week.

A major Xen hypervisor security flaw that had been lurking in the open source virtualization software for seven years has finally been patched.

Xen Project security team members disclosed the flaw Thursday in a security advisory and issued a patch for the Xen Hypervisor. The flaw, indexed as CVE-2015-7835, allowed attackers to escape the confines of their guest accounts and access the host operating system through paravirtualization (PV).

"Malicious PV guest administrators can escalate privilege so as to control the whole system," the security advisory stated.

Version 3.4 and higher of the Xen hypervisor are vulnerable, but the flaw only affects x86 systems. ARM-based systems, according to the advisory, are not vulnerable. Besides patching the hypervisor, running only hardware virtual machine (HVM) guests will prevent the flaw from being exploited, the advisory said. The Xen Project security team offered additional guidance and urged users to take proper mitigation steps to prevent potential attacks.

"On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not call these hypercalls will also prevent untrusted guest users from exploiting this issue," the security advisory stated. "However, untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc.) or from using other mechanisms which allow them to run code at kernel privilege."

Security researchers with Qubes OS, a security-focused operating system project that uses Xen, issued a security bulletin that described the hypervisor security flaw as "very critical" and "probably the worst we have ever seen."

In addition, the Qubes security bulletin highlighted the fact that the flaw, while "subtle," had existed for seven years before being discovered and claimed it showed a lack of security commitment from Xen developers.

"Specifically, it worries us that, in the last 7 years (i.e. all the time when the bug was sitting there having a good time) so much engineering and development effort has been put into adding all sorts of new features and whatnots, yet no serious effort to improve Xen security effectively," the Qubes bulletin stated. "For a type-1 hypervisor of the age and maturity of Xen, this simply should not be happening. If it does, it suggests the development process is not prioritizing security."

Xen hypervisor security flaws have been a concern for several major cloud providers and their customers over the last year. In October of 2014, Amazon Web Services, IBM Softlayer and Rackspace were forced to reboot parts of their cloud infrastructure following a major Xen hypervisor security update. A similar security update was issued in March of this year, though Amazon was able to avoid another major AWS reboot.

Amazon issued a security advisory Thursday saying the Xen hypervisor security patch did not affect AWS customers' data and instances, and no action will be required.

Next Steps

Find out why IaaS has put the spotlight on hypervisor security and tenant management

Learn why SMBs are struggling with virtualization security

Discover the differences between Type 1 and Type 2 hypervisors

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection