The Xen Project has fixed three vulnerabilities in its widely used hypervisor that could allow operating systems running inside virtual machines to access the memory of the host systems, breaking the critical security layer among them.
Two of the patched vulnerabilities can only be exploited under certain conditions, which limits their use in potential attacks, but one is a highly reliable flaw that poses a serious threat to multitenant data centers where the customers' virtualized servers share the same underlying hardware.
The flaws don't yet have CVE tracking numbers, but are covered in three Xen security advisories calledXSA-213,XSA-214andXSA-215.
"XSA-213 is a fatal, reliably exploitable bug in Xen," said the security team of Qubes OS, an operating system that isolates applications inside Xen virtual machines. "In the nearly eight-year history of the Qubes OS project, we have become aware of four bugs of this calibre: XSA-148, XSA-182, XSA-212 and now XSA-213."
Of these four highly critical and easy to exploit vulnerabilities, three have been found and patched over the past 10 months and two over the past month --XSA-182was fixed in July 2016,XSA-212in April and XSA-213 on Tuesday.
Another commonality is that all of them affected the Xen memory virtualization for paravirtualized (PV) VMs. Xen supports two types of virtual machines: Hardware Virtual Machines (HVMs), which use hardware-assisted virtualization, and paravirtualized VMs that use software-based virtualization.
The other two flaws patched Tuesday, XSA-214 and XSA-215, also affect paravirtualized VMs. The difference is that XSA-214 requires two malicious guest VMs to work together in order to access the system memory, while XSA-215 only affects "x86 systems with physical memory extending to a configuration dependent boundary of 5TB or 3.5TB."
One limitation for XSA-213 is that it can only be exploited from 64-bit PV guests, so systems running only HVM or 32-bit PV guests are not affected.
Xen的开发者发布的修补程序Xen的4.8.x,Xen的4.7.x,Xen的4.6.X和Xen 4.5.x可以手动应用到受影响的系统。
开源Xen系统管理程序是由许多云计算提供商和虚拟专用服务器(VPS)托管公司,其中一些获得补丁提前被迫安排维护停机时间使用。
例如,VPS提供商的Linodehad to rebootsome of its legacy Xen PV hosts in order to apply the fix and advised customers to move to its HVM-based servers to avoid future downtimes.
Meanwhile, Amazon Web Services said that its customers' data and instances were not affected by these vulnerabilities and no customer action was required.
该Qubes OS团队,自诩打造中国最安全的桌面操作系统之一,已不必使用Xen PV漏洞反复处理的不够。这就是为什么,在过去10个月中,它已经投入额外的工作的切换操作系统的下一个版本 - Qubes 4.0 - 给HVM。
"We originally hoped we could transition to running all Linux VMs in a so-called PVH mode of virtualization, where the I/O emulator is not needed at all, but it turned out the Linux kernel is not quite ready for this," the Qubes team said inan analysisof the latest Xen patches. "So, in Qubes 4.0, we will use the classic HVM mode, where the I/O emulator is sandboxed within... a PV VM (which is also the case when one runs Windows AppVMs on Qubes 3.x)."
The good news is that the groundwork is set to switch Qubes to PVH in the future when the Linux kernel adds the needed support, and even to replace Xen entirely with something else, if a better alternative comes along.