The Xen Project reported on Thursday that it has patched a total of four vulnerabilities that can be exploited for privilege escalation or denial-of-service (DoS) attacks.

One of the flaws, described in the XSA-185 advisory and tracked as CVE-2016-7092, allows a malicious 32-bit PV (paravirtualization) guest administrator to escalate their privileges to that of the host.

The issue affects all versions of Xen, but it can only be exploited by 32-bit PV guests on x86 hardware – 64-bit PV guests, x86 HVM (Hardware Virtual Machine) guests and ARM guests are not impacted.

A similar flaw, one that allows a malicious HVM guest administrator to escalate their privileges to that of the host, is tracked as CVE-2016-7093 and described in the XSA-186 advisory. The vulnerability affects Xen versions 4.6.3, 4.5.3, and 4.7.0 and later, but it can only be exploited on HVM guests running on x86 hardware.

XSA-187 describes an overflow issue that can be leveraged by an HVM guest admin to cause Xen to fail a bug check and lead to the host entering a DoS condition. The flaw, identified as CVE-2016-7094, affects all Xen versions and it can be exploited on HVM guests on x86 hardware when they are configured to run with shadow paging.

The last vulnerability, CVE-2016-7154, is a use-after-free that can be exploited by a guest administrator to crash the host (DoS condition). It’s also possible that this weakness, described in XSA-188, can be leveraged for information leaks and arbitrary code execution that leads to privilege escalation.

The list of individuals credited for finding and reporting these vulnerabilities includes Jérémie Boutoille of Quarkslab, Shangcong Luan of Alibaba Cloud, Brian Marcotte, Andrew Cooper of Citrix, and Intel Security’s Mikhail Gorobets.

Xen is used in Linux distributions and cloud services provided by companies such as Amazon, IBM, Linode and Rackspace. The Xen Project typically provides them patches before vulnerabilities are disclosed to give them enough time to address the issues.

On this occasion, Linode informed customers that it has updated its legacy Xen host servers to resolve these vulnerabilities, while Amazon told users that they are not affected. IBM and Rackspace had not released any advisories by the time this article was published.

Citrix, which provides a commercial version of Xen, informed customers that the vulnerabilities, classified as having medium and high severity, have been addressed in all supported versions of its XenServer product.

Related: Xen Patches Serious Privilege Escalation Flaw

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Fallout Over OPM Breach Report Begins

September 9, 2016 , 9:00 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Threatpost | The first stop for security news