Xen Project Patches 7 Year Old Critical Security Vulnerability

In late October the Xen Project who is the maintainer of its very popular Xen Project virtualization software (defined) released a series of security advisories to resolve 9 security issues (consisting of 8 CVEs (defined)) within their software. The most serious of which (described in this advisory) has been present within the software for the last 7 years (but went undetected during that time).

Why Should These Issues Be Considered Important?
The most serious issue which affects version 3.4 (onwards) of the Xen Project involved how a guest server (namely a server which only exists in software rather than a physical device enabling multiple servers to exist on a single physical server) accesses the memory of the physical server within which it resides. This was due to code that validates access to the page table (see page 10 and 11 of this PDF for a definition of a level 2 table specific to this vulnerability. This slide deck explains the more general concept) being bypassed under certain conditions meaning that the guest server (if under the control of an attacker or malware) could have escalated it’s privileges to completely control the physical server.

The remaining 8 security issues could also cause a severe impact to your server infrastructure since they are denial of service issues (defined).

How Can I Protect Myself From These Issues?
While mitigations are available for the majority of these issues, it is recommended to apply the necessary security updates if you use the Xen Project virtualization software within your organization.

The main Xen security advisories page is located here. Links to the appropriate advisories with steps to install the necessary updates are provided below:

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s