The Xen Security Team announced a critical security bug dubbed CVE-2015-7835 yesterday. The bug, which has existed for seven years, could allow an attacker write access to the underlying operating system from a para-virtualised (PV) virtual machine, which violates a core principle of virtualisation: that virtual machines cannot have direct access to the hypervisor.
It affects Xen version 3.4 and later on x86 systems. “It’s impact could be malicious PV guest administrators can escalate privilege so as to control the whole system,” the Security Team says. A patch has been released.
Describing the bug as “probably the worst we have seen affecting the Xen hypervisor, ever,” security researcher Joanna Rutkowska said it is “really shocking” that the bug had not been discovered in seven years.
“In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work,” she said.
Rutkowska, who created the security-enhanced operating system QubesOS, which is based on Xen, went on to say: “Specifically, it worries us that, in the last seven years (i.e. all the time when the bug was sitting there having a good time) so much engineering and development effort has been put into adding all sorts of new features and whatnots, yet no serious effort to improve Xen security effectively.”
She congratulated a person named ‘Good Wind’ working for Chinese internet giant Alibaba who found and reported the bug.
Whether the vulnerability has been successfully exploited is not known at this stage. Rutkowska described it as a “subtle bug, because there is no buggy code that could be spotted immediately”. However, now that it has gone public it is certain that attackers will be looking for unpatched systems to exploit.
It is thought that the cloud companies that base some services on Xen – including Amazon, Rackspace and IBM – were warned about the vulnerability and issued patches before the public announcement.
Open-source software like Xen is frequently held up as being more secure than its proprietary counterparts because of the “number of eyeballs on the code”, but bugs like this one and Heartbleed and the recent OpenSSL vulnerability can severely test this theory.