Xen patches three bugs that allow guest-host takeover

Paravirtualized guests on old x86s are the risk – just the sort of thing that gets forgotten


The Xen Project has disclosed three bugs in its eponymous hypervisor – all of which would allow a malicious VM administrator to take control of a host system.

CVE-2022-26364 and CVE-2022-26363 are the subject of a single security advisory that warns the flaws mean "Malicious x86 PV guest administrators can escalate privilege so as to control the whole system."

The bad news is that all versions of Xen have the problem, which is caused by an incorrect conclusion that a page is safe to access. The good news is that Xen has a sincere belief that Xen on Intel's Ivy Bridge or later architectures is not impacted by the vulnerability. The flaw also impacts only paravirtualized guests that have access to a host's devices. Not sharing devices with guests will make the problem moot.

Ivy Bridge debuted in 2012 and its production run ended in 2015, but it is surely folly to assume that means trivially few boxes are threatened by CVE-2022-26364. The Register has heard too many stories of servers that just keep running, and evade IT estate inventories, to suggest this flaw can be ignored.

The Xen Project certainly did not. The prevalence of the hypervisor in hyperscale and embedded environments saw it issue an advisory under embargo. That advisory was revised four times, suggesting a bit of back and forth.

The other flaw is CVE-2022-26362 which also allows guest-host takeover. Again, only PV guests are a risk, but guest-host takeover is a possibility. If you don't run PV guests, you're in the clear.

Xen's advisory for this flaw again explains that it's a problem with pages.

Google's Project Zero found both flaws, but fear not – the G-Cloud runs a hardened version of KVM, not Xen. ®


Other stories you might like

  • Ditching VMware over the Broadcom buy? Here are some of your options
    What's your contingency plan?

    Opinion Broadcom has yet to close the deal on taking over VMware, but the industry is already awash with speculation and analysis as to how the event could impact the cloud giant's product availability and pricing.

    If Broadcom's track record and stated strategy tell us anything, we could soon see VMware refocus its efforts on its top 600 customers and raise prices, and leave thousands more searching for an alternative.

    The jury is still out as to whether Broadcom will repeat the past or take a different approach. But, when it comes to VMware's ESXi hypervisor, customer concern is valid. There aren't many vendor options that can take on VMware in this arena, Forrester analyst Naveen Chhabra, tells The Register.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022