Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday May 08 2017, @02:27AM   Printer-friendly
from the hypervisor-beat-down dept.

Qubes is once again regretting how long it's taken to abandon Xen's PV hypervisor, disclosing another three bugs including host escape vulnerabilities.

The most serious bugs are in PV (paravirtualization) memory handling, XSA-213 and XSA-214.

"An attacker who exploits either of these bugs can break Qubes-provided isolation. This means that if an attacker has already exploited another vulnerability, e.g. in a Web browser or networking or USB stack, then the attacker would be able to compromise a whole Qubes system" Qubes says in this note.

The bug in XSA-213 only affects 64 bit x86 systems and relates to how root and user mode page tables are handled by 64-bit PV guests. The IRET hypercall, which stands in for identically-named CPU instructions, transfers control from user mode to kernel mode.

"If such an IRET hypercall is placed in the middle of a multicall batch, subsequent operations invoked by the same multicall batch may wrongly assume the guest to still be in kernel mode", Xen explains, with the result that the guest could get writable access to the wrong root page table.

This means a buggy or malicious PV guest "may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks."

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday May 09 2017, @12:33AM

    by Anonymous Coward on Tuesday May 09 2017, @12:33AM (#506678)

    x ≠ 1