Slashdot Mirror


Xen Security Issue Patched

An anonymous reader sends in word of a privilege escalation security issue identified in the open source Xen hypervisor. Xen has issued a hotfix and urged all users to install it. The problem was disclosed by Secunia last week. A user of a guest domain with root privileges could execute arbitrary commands in domain 0 via specially crafted entries in grub.conf when the guest system is booted.

1 of 41 comments (clear)

  1. Re:Already fixed in some distributions by kscguru · · Score: 2, Insightful
    This one is newsworthy because:
    1. If the guest can take over the host, this is an EXTREME vulnerability. VMs are used for security research sandboxes, intrusion containment ... hosting providers tend to sell root access to Xen guests. The Xen privilaged parts (e.g. dom0) tend to run within trusted networks. This is as bad as a remote root hole - probably worse, because it can affect a lot more machines. See a write-up about a Gartner report fearing exactly this sort of hole.
    2. Compare "lots of holes, usually fixed quickly" with "very few holes". Vulnerabilities should not exist in this sort of software, no matter how quickly fixed. Would you use SSH if vulnerabilities "happen almost daily, and are usually fixed quickly"? The rate of occurrence of bugs like this is indicative of code quality. Don't be an apologist where security software is concerned.
    --

    A witty [sig] proves nothing. --Voltaire