For seven years, Xen virtualization software used by Amazon Web Services and other cloud computing providers has contained a vulnerability that allowed attackers to break out of their confined accounts and access extremely sensitive parts of the underlying operating system. The bug, which some researchers say is probably the worst ever to hit the open source project, was finally made public Thursday along with a patch.
As a result of the bug, “malicious PV guest administrators can escalate privilege so as to control the whole system,” Xen Project managers wrote in an advisory. The managers were referring to an approach known as paravirtualization, which allows multiple lower-privileged users to run highly isolated computing instances on the same piece of hardware. By allowing guests to break out of those confines, CVE-2015-7835, as the vulnerability is indexed, compromised a core tenant of virtualization.
“The above is a political way of stating the bug is a very critical one,” researchers with Qubes OS, a desktop operating system that uses Xen to security sensitive resources, wrote in an analysis published Thursday. “Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly.”