|
|
Subscribe / Log in / New account

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

[Posted April 7, 2017 by corbet]

The latest installment from Google's Project Zero covers the development of an exploit for this unpleasant Xen vulnerability. "To demonstrate the impact of the issue, I created an exploit that, when executed in one 64-bit PV guest with root privileges, will execute a shell command as root in all other 64-bit PV guests (including dom0) on the same physical machine."
to post comments

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 7, 2017 16:54 UTC (Fri) by NightMonkey (subscriber, #23051) [Link] (5 responses)

So, EC2 is Xen, IIRC. Yikes.

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 7, 2017 17:41 UTC (Fri) by dw (subscriber, #12017) [Link] (4 responses)

EC2 doesn't use PV for any recent instance families. I think the last that used it was t1

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 7, 2017 20:53 UTC (Fri) by NightMonkey (subscriber, #23051) [Link] (3 responses)

You are right. My bad. I wonder how many old PV-style instances are left. I hope there's not a way to tell using nmap fingerprinting...

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 7, 2017 21:10 UTC (Fri) by excors (subscriber, #95769) [Link]

I got a message from Gandi.net two weeks ago about a soon-to-be-disclosed Xen vulnerability, which I assume was this one, saying I had to restart my server before April 4 (else they'd forcibly restart it). I think they recently gained support for live patching of Xen, so most servers could be fixed with no reboot, but mine had been up for too long.

Most cloud providers presumably have similar policies, and are similarly notified before the public disclosure, so they should have all patched it already and forced reboots where necessary.

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 10, 2017 6:56 UTC (Mon) by buchanmilne (guest, #42315) [Link] (1 responses)

AWS has indicated that they are not affected: https://aws.amazon.com/security/security-bulletins/AWS-20...

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 13, 2017 8:49 UTC (Thu) by dunlapg (guest, #57764) [Link]

AWS has had a proprietary hot-patching capability for years, and ever since they introduced it, I haven't seen a single press release that didn't say, "AWS is not affected." This means one of two things:
  • Amazon discovered all of the vulnerabilities privately but just didn't report them
  • What they mean is, "We are not affected at this moment in time, because we hot-patched our servers during the pre-disclosure period."
I tend to favor the second hypothesis.

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 7, 2017 18:54 UTC (Fri) by SEJeff (guest, #51588) [Link]

And Google's cloud uses KVM, not Xen.

Pandavirtualization: Exploiting the Xen hypervisor (Project Zero)

Posted Apr 10, 2017 21:52 UTC (Mon) by nix (subscriber, #2304) [Link]

Those really are terribly-named macros, with the arguments making it all the easier to think that it checks things it really doesn't.

Some way down Rusty's API sin list, I think.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds