The latest Xen Project maintenance releases, 4.6.1 and 4.4.4 for the Xen hypervisor have been pushed with two missing security updates.
The popular virtualization solution for cloud computing providers undergoes maintenance updates every four months to include all security patches and bug fixes released within the allotted time. The two security patches, XSA-162 and XSA-155, were not included in this update because of an “oversight.”
“Note that, as also mentioned on the web page above, due to two oversights the fixes for both XSA-155 and XSA-162 have only been partially applied to this release. (Note further that the same applies to the recently announced 4.4.4 release.),” reads the Xen blog post.
The XSA-155 vulnerability involves Xen’s paravirtualized drivers, potentially allowing guest OS administrators to crash the host or run code with higher privileges. With ARM and x86 systems vulnerable, all operating systems providing PV backends are susceptible.
“Malicious guest administrators can cause denial of service,” reads the XSA-155 advisory. “If driver domains are not in use, the impact can be a host crash, or privilege escalation.”
The second vulnerability that missed the maintenance release involves the QEMU open-source virtualization software used by Xen, also potentially leading to privilege escalation of a guest operating system that has access to a virtualized PCnet adapter. This could allow an attacker to elevate his privileges to that of the QEMU process.
“All Xen systems running x86 HVM guests without stubdomains which have been configured to use the PCNET emulated driver model are vulnerable,” reads the XSA-162 advisory. “The default configuration is NOT vulnerable (because it does not emulate PCNET NICs).”
While everyone is encouraged to upgrade to this release, the two security patched for the above-mentioned vulnerabilities should be installed manually.