14 DAY TRIAL // A serious security vulnerability in the Xen hypervisor was publicly disclosed on Wednesday, revealing that a malicious hardware virtual machine (HVM) could read the data from other guests available in the virtualization environment.
Xen is an open-source solution for providing virtual private servers, used in cloud computing services like Amazon EC2 (Elastic Compute Cloud) and Rackspace Cloud.
Data from other guests and the hypervisor at risk
By leveraging this vulnerability, which has been assigned the CVE-2014-7188 identifier, an attacker could read information from virtual machines running on the same hardware and managed through Xen.
As per Xen’s security advisory, the problem stems from the fact that “the MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs.”
Despite the write emulation path being created so that access to the additional MSRs does not have a negative impact on the other MSRs, “the read path would (attempt to) access memory beyond the single page set up for APIC emulation,” the advisory says.
As a result of the glitch, the host machine could be crashed or information from other virtual machines and the hypervisor itself could be accessed.
A patch has been issued to fix the problem that affects Xen 4.1 and up on x86 systems (ARM is not affected).
Amazon patched a tenth of their EC2 fleet
Credited to Jan Beulich at SUSE, CVE-2014-7188 was made known to cloud providers prior to its public disclosure, to allow them to take the necessary actions for protecting their customers.
Last week, Amazon started a maintenance update impacting 10% of their EC2 systems. This required a reboot of the hardware, making them unavailable for the entire duration of the patching procedure (estimated at a few minutes).
Customers with EC2 instances in multiple availability zones were the least affected by Amazon’s fast action because the data was present in more than one location and could still be accessed when the systems in one geographic zone would be rebooted.
“Instances requiring a reboot will be staggered so that no two regions or availability zones are impacted at the same time and they will restart with all saved data and all automated configuration intact,” Amazon said before beginning the system reboots.
The company completed the action on September 30 and said that the operation went according to the plan, and that, at the same time, it collaborated with its customers to ensure that everything went smoothly on their side, too.