This article is more than 1 year old
QEMU may be fro-Xen out after two new bugs emerge
Five guest-host escalation SNAFUs might be stretching the virtual friendship
The Xen project has revealed another two bugs in the QEMU hypervisor and is now wondering the extent to which it should support the buggy code.
The first of the flaws, CVE-2015-5165, means “A guest may be able to read sensitive host-level data relating to itself which resides in the QEMU process” and impacts “All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated RTL8139 driver mode”.
There's a workaround and the Xen team are asking you to use it, because they don't feel they have the time or resources to backport the QEMU team's patches.
The advisory for the flaw also offers the following contentious text:
“We will encourage the community to have a conversation, when this advisory is released, about the continuing security support status of qemu-xen-traditional in non-stub-dm configurations.”
We'll keep an eye on that for you!
CVE-2015-5166 comes about “When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.”
As a result “An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.”
No workaround is available: you'll need to get the QEMU patches to sort it out.
These new flaws come hot on the heels of the VENOM bug, another guest/host escape addressed in Xen 4.5.1 and last week's emulated CD-ROM SNAFU.
With another two similar flaws now revealed, little wonder the Xen community is pondering its future relationship with QEMU. ®