Critical Xen bug in PV memory virtualization code

As the title doesn&#x27;t indicate, this is a pretty big deal. Full host compromise from a guest that always works and doesn&#x27;t leave any traces. Amazon is claiming it doesn&#x27;t affect them[0], but they don&#x27;t give any details as to why.<p>[0]: <a href="https:&#x2F;&#x2F;aws.amazon.com&#x2F;security&#x2F;security-bulletins&#x2F;XSAsecurityadvisories-October&#x2F;" rel="nofollow">https:&#x2F;&#x2F;aws.amazon.com&#x2F;security&#x2F;security-bulletins&#x2F;XSAsecuri...</a>

<p><pre><code> | The code to validate level 2 page table entries is bypassed when | certain conditions are satisfied. This means that a PV guest can | create writeable mappings using super page mappings. | | Such writeable mappings can violate Xen intended invariants for pages | which Xen is supposed to keep read-only. </code></pre> Xen is used by security-focused Qubes, which published an analysis of XSA-148, <a href="https:&#x2F;&#x2F;github.com&#x2F;QubesOS&#x2F;qubes-secpack&#x2F;blob&#x2F;master&#x2F;QSBs&#x2F;qsb-022-2015.txt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;QubesOS&#x2F;qubes-secpack&#x2F;blob&#x2F;master&#x2F;QSBs&#x2F;qs...</a>:<p><i>&quot;The above is a political way of stating the bug is a very critical one. Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly.<p>Admittedly this is subtle bug, because there is no buggy code that could be spotted immediately ... On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work.<p>Specifically, it worries us that, in the last 7 years (i.e. all the time when the bug was sitting there having a good time) so much engineering and development effort has been put into adding all sorts of new features and whatnots, yet no serious effort to improve Xen security effectively. Because there have been, of course, many more security bugs found in Xen over the last years (as the numbering of this XSA suggests)... the bugs in Xen are being found regularly, and this is no good news. For a type-1 hypervisor of the age and maturity of Xen, this simply should not be happening. If it does, it suggests the development process is not prioritizing security.&quot;</i>

Linode apparently was affected but got advance notice and patched all servers over the past week.

I was wondering what it was. That explains the &#x27;Critical Xen Maintenance&#x27; reboot ticket I got from Linode 11 days ago.

This is not the first time they rant about this sort of things. Of course if they can&#x27;t stand the code quality of Xen they are always welcome to switch to KVM, virtualbox, bhyve or whatever open source hypervisor they think has the best code quality and security practice.<p>I know it is within their right to write things as they please. But seriously, ranting like this is not very constructive and doesn&#x27;t move things forward. If Qubes thinks the practices in Xen community are bad, why don&#x27;t they start a conversation on Xen development mailing list?<p>(edited: typo)

Does this mean it&#x27;s a good idea to reset all keys&#x2F;passwords for any service that was using Xen?<p>I don&#x27;t know much about Xen, so perhaps someone else can chime in on this. This exploit says it&#x27;s for PV, and not for HVM.<p>But Xen can apparently run both at the same time. Does this mean even if you were using HVM, and Xen had other guests using PV, you were still exploitable?

&gt; This bug might also be considered an argument for the view of ditching of para-virtualized (PV) VMs, and switch to HVMs<p>It&#x27;s not like Xen HVMs have a better security story than PVMs. The paravirtualization code should probably be more heavily audited than it is already.

What&#x27;s the quote from Theo again?<p><i>You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can&#x27;t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.</i>

Rackspace has been patching their Xen stuff for a little over a week now.<p>It&#x27;s nice having a multi-region &#x2F; multi-provider setup otherwise the typical Rackspace reboot window (much like UPS deliveries or the cable guy) would&#x27;ve been a pain in the ass.

prgmr.com has a rundown on what affected them: <a href="http:&#x2F;&#x2F;blog.prgmr.com&#x2F;operations&#x2F;2015&#x2F;10&#x2F;29&#x2F;recent-xsas.html" rel="nofollow">http:&#x2F;&#x2F;blog.prgmr.com&#x2F;operations&#x2F;2015&#x2F;10&#x2F;29&#x2F;recent-xsas.html</a>

I think hardware implementation can have security bugs too and it&#x27;s a lot harder to upgrade the hardware than the software.

The existence of such a catastrophic bug shows that Xen is unfortunately not suitable for use as an hypervisor in a secure system and needs to be replaced.<p>We really need a properly written open source hypervisor: entities using secure hypervisors commercially like Amazon AWS should fund the development of one.