Open source hypervisor Xen Project has released security advisories for four serious vulnerabilites in its virtualisation software that could leave unpatched hosts open to abuse.
The first, XSA-185, affects all versions of 64-bit Xen and allows malicious 32-bit para-virtualised (PV) guest administrators to elevate their privileges to that of the host.
The flaw allows malicious admins to bypass host security mechanisms intended to control guest access for system memory reads and writes. Hosting services can avoid the vulnerability by only allowing 64-bit PV or hardware virtual machines on their infrastructure.
XSA-186 is a flaw that allows malicious HVM guests to overwrite hypervisor memory, again escalating their privileges to that of the host. It affects Xen versions 4.5.3, 4.6.3 and 4.7.0 and later, the project said. Running only PV guests avoids XSA-186.
Malicious administrators of HVM guests running with shadow paging on Intel and AMD x86 architecture hardware can also issue denial of service attacks on hosts by exceeding the space allocated for internal state, via XSA-187.
The vulnerability is found in all versions of Xen, but it does not affect x86 HVM guests configured to use hardware-assisted paging, nor can ARM or PV guests trigger it. Xen runs x86 guests in HAP mode by default on newer processors.
The fourth, XSA-188, vulnerability is a use-after-free flaw that lets malicious guest admins crash hosts, and could potentially be abused for arbitrary code execution, privilege escalation, and information leaks, the project said. It affects only Xen version 4.4.
Amazon Web Services has advised that its Xen-based infrastructure is not vulnerable to XSA-185, 186, 187 or 188, and no action is required by customers.
Cloud hosting provider Linode, conversley, will be forced to reboot its legacy Xen infrastructure. Its KVM-based platform, however, isn't affected by the vulnerabilities, the company said.
Xen has come under fire for its patchy security record over the last few years.
In July this year, Xen was harshly criticised after a critical guest privilege escalation bug, similar to another flaw that lay dormant in the hypervisor for seven years, was discovered.
