back to article Hypervisor security ero-Xen: How guest VMs can hijack host servers

The Xen project has today patched four security bugs in its open-source hypervisor – three potentially allowing guest virtual machines to take over their host servers. The other programming cockup allows a guest to crash the underlying machine. This is not great news for cloud providers or anyone else running untrusted VMs on …

  1. Anonymous Coward
    Anonymous Coward

    not sure about enterprise but

    Wow glad I picked QEMU/KVM/virt-manager for my home needs instead. OpenBSD guest runs like a champ on it with native drivers for virtio. Also nice having the whole stack open source including the bios which you don't get with VirtualBox or VMWare (obviously) as well.

    1. kryptylomese

      Re: not sure about enterprise but

      Don't be too proud of your technological achievement....

      You may find that there is vulnerability is found in your chosen virtualisation technology tomorrow.

      1. Anonymous Coward
        Anonymous Coward

        Re: not sure about enterprise but

        True they all have them from time to time but Xen lately has been a leaking like a sieve. Made Qubes OS go from looking like Fort Knox to Fort Swiss Cheese (was going to go Fort Mayor McCheese but nobody would get it).

        1. Anonymous Coward
          Anonymous Coward

          Re: not sure about enterprise but

          True they all have them from time to time but Xen lately has been a leaking like a sieve.

          Actually, this is not really true. If you look http://www.cvedetails.com/vendor/6276/XEN.html (which does not yet include those 4 CVEs/XSAs, you notice that in 2016 (assuming the rate of discovery stays similar to the 9 months before), the number of CVEs/XSAs for Xen which includes QEMU and Linux vulnerabilities in supported Xen configurations is actually slowing, despite more people looking for vulnerabilities. Contrast that with the Linux Kernel and QEMU vulnerabilities, both parts of KVM (see http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 & http://www.cvedetails.com/product/12657/Qemu-Qemu.html?vendor_id=7506) where the rate of vulnerabilities discovered is actually increasing steadily.

          However, I can see why the impression of more Xen vulnerabilities is created: the difference is simply that each Xen vulnerability is covered in the tech media, while Linux, QEMU or KVM vulnerabilities are rarely covered (often they are only covered if there is a Xen angle). A simple google news search for "<hypervisor insert Xen/QEMU/KVM/...> vulnerability" clearly shows the difference in how issues are reported.

        2. TheVogon Silver badge

          Re: not sure about enterprise but

          "Made Qubes OS go from looking like Fort Knox to Fort Swiss Cheese "

          Hyper-V Server is free with all features enabled and has by far the best security vulnerability profile of any commonly used Hypervisor option. It's easy to run Linux on it.

      2. Nate Amsden

        Re: not sure about enterprise but

        let me know when one is published for vsphere.. I have looked in the past and the only thing I have found has been related to vmware tools running on windows I think specifically for HGFS in particular (and that may of been workstation only since there's no point of HGFS on esxi)

        Some folks like to say, you never know what is undisclosed for security in vmware, same can be said for Xen or any other product as well.

        Having the source by no means solves anywhere close to all problems. There's been some nasty bugs released in open source stuff that took well over a decade to find.

        I'm not complaining either way(when I see the Xen stuff like this I find it funny), but am a happy vmware customer(enterprise+ 5.5, and none of their fancy automation stuff which seems to be breaking a lot)

      3. nijam

        Re: not sure about enterprise but

        Indeed, the difference between products that have bugs reported, and products that don't, is not the bugs, it's the reports.

    2. gwd

      Illusion of security

      The reason you don't hear about KVM vulnerabilities is there's no good way to hear about them. They're usually not announced anywhere publicly. Xen, on the other hand, have an official process whereby you can get e-mail notifications as soon as the vulnerability is discovered and fixed; and if you're a public cloud provider, you can get notification two weeks beforehand, so you can patch your systems before the world knows about it.

      So if what you want is the illusion of security, because you just don't hear about the bugs, by all means go with KVM. But if what you want is to be able to actually fix your bugs as soon as possible, go with Xen.

      1. Anonymous Coward
        Anonymous Coward

        Re: Illusion of security

        No fan of Red Hat but the one thing they do better than just about any other company is patch Linux and they directly have a dog in the fight with KVM. Considering how many resources they dedicate to Linux (systemd, udev, Gnome fiasco showed they can overwhelm everyone else when they want) I bet its still significantly more than dedicated to Xen even with all the big names behind it. Again if I was some big wig making cloudy decisions the calculus could very well change but for home use where my main OS is Linux KVM/QEMU was the obvious choice. What would concern me about Xen is not the quantity of CVEs but the severity. Anything that pretty much completely invalidates Qubes OS security is not trivial and probably not that isolated.

        1. Anonymous Coward
          Anonymous Coward

          Re: Illusion of security

          What would concern me about Xen is not the quantity of CVEs but the severity. Anything that pretty much completely invalidates Qubes OS security is not trivial and probably not that isolated.

          Qubes wasn't affected by this set of bugs, as far as I recall. The bugs in this set of vulnerabilities are in also uncommon configurations, such as 32bit guests, use of shadow page tables (not the default and slower than normal), ...

  2. Andrew Jones 2

    Phew, I was a bit concerned for a moment then.... but I'm running the latest Xenserver on 64bit hardware with all host OSes running 64bit flavours. Looks like I'm safe for now.

  3. Steve Knox
    Pint

    Ah the joys of segmented memory

    This one's for all you out there who actually remember what CS:IP stands for.

    1. Daniel B.
      Boffin

      Re: Ah the joys of segmented memory

      My first assembly programs were written in TASM, targeting 16-bit x86. Ah, the memories...

  4. Daniel B.
    Boffin

    So...

    Basically, I can break out of the VM by running DOS and hacking up a program with DEBUG?

    -affff

    NOP

    1. BinkyTheMagicPaperclip Silver badge

      Re: So...

      It doesn't seem like a huge problem at first, does it, even if it's the first Xen flaw in a while that has been an oversight rather than a very specific set of circumstances.

      Unfortunately, if you can exploit the VM to manipulate the boot loader, and then reboot the system, it's game over - VM boots up in 16 bit mode, machine owned.

      Xen is by no means perfect, but it's quite a decent product with unique virtualisation and manageability features.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019