Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host (itnews.com.au)

← Back to Stories (view on slashdot.org)

Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host (itnews.com.au)

Posted by EditorDavid on Saturday July 30, 2016 @06:35AM from the exploit-XSA-182 dept.

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

13 of 73 comments (clear)

Min score:

Reason:

Sort:

well, shitlord... by Anonymous Coward · 2016-07-30 06:44 · Score: 4, Insightful

which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"
Well, "Qubes security researcher", which platform did you choose for your project, and did you audit it fully before making your releases? No?
Which raises the age-old question: Has Qubes been written by competent developers?
1. Re:well, shitlord... by martyros · 2016-07-30 11:10 · Score: 4, Informative
  
  Which raises the age-old question: Has Qubes been written by competent developers?
  What's really rich about that question is that if you read their advisory, the Qubes developers couldn't figure out how to exploit the vulnerability when handed a patch that changes the problematic behavior. If not spotting the issue without having it handed to them makes the Xen developers incompetent, what does that say about the Qubes developers?
  The fact is, though, that the vulnerability is actually quite hard to spot. It's not surprising at all that experienced security researchers would fail to spot it even when given a pretty big clue; much less that the initial developers would fail to spot it.
  
  --
  TCP: Why the Internet is full of SYN.
Re:Really? by phantomfive · 2016-07-30 07:19 · Score: 5, Informative

Show me this type of vulnerability in VMware, any version
Here's one example.

Here's a story showing that VMWare tries to hide their vulnerabilities.

--
"First they came for the slanderers and i said nothing."
Re:Computer security is really, really hard by phantomfive · 2016-07-30 07:26 · Score: 2

Real computer security is impossible.
We can do much, much, much better than we are doing now.
There is no reason that our lower-level systems (at least) can't be secure. You write them once (in the djb style), then don't change them, because they don't need to change.

The problem now is that there is very little motivation for programmers to even care about security. You can't see it, and no manager ever asks at a sprint, "is the code you wrote secure?"

--
"First they came for the slanderers and i said nothing."
WTF is Qubes? by kwerle · 2016-07-30 08:00 · Score: 2

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loos like they are all about the security, so this is kind of a big deal for them.
https://www.qubes-os.org/tour/...
What is Qubes OS?
Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.
1. Re:WTF is Qubes? by Burz · 2016-07-30 11:32 · Score: 3, Informative
  
  You can think of Qubes as a desktop OS that demotes monolithic kernels (hopelessly insecure) to the role of providing features/drivers within unprivileged VMs. This is similar to the microkernel philosophy, but also recognizes that monolithic kernels are still where all the drivers and apps are to be found.
  Qubes also employs IOMMU hardware to contain network and USB controllers within unprivileged VMs to protect against DMA attacks. The admin VM that runs the desktop environment has no direct access to networking, and the user can assign other PCI devices to VMs as they see fit.
  The last piece of the Qubes picture is that it departs from how most hypervisors handle graphics, keyboards and inter-VM copying. Each is properly virtualized using a very simple protocol that is highly resistant to attack, so that VMs cannot sniff your clipboard contents or keystrokes, or take screenshots, etc. Copying between Qubes VMs is also probably much safer than copying between air-gapped machines using discs or flash drives because the former is far simpler.
  The Qubes Security Bulletin for this Xen vulnerability can be viewed here.
  Most Xen vulns either do not apply to Qubes or are DOS, and the Qubes project is skeptical that this one can be realistically used against Qubes. Still, the bulletin also describes how this vuln belongs to a class of memory management bugs that the Xen project has not done a good job in rectifying. This appears to be Xen's "weak spot" that could be a perennial source of vulns. As a result, Qubes will be moving away from PVMs (which use the questionable memory mapping code) to HVMs which employ on-silicon SLAT for VMs.
2. Re:WTF is Qubes? by fnj · 2016-07-30 12:29 · Score: 2
  
  https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loo[k]s like they are all about the security, so this is kind of a big deal for them.
  "All about security", so they insert "user ALL=(ALL) NOPASSWD: ALL" in sudoers, right? And a PolicyKit rule for anybody to do anything? And DOM0 is set up with no-password root access? I gotta tell ya, those are real head-scratchers. They have some great ideas, but I'm not sure they are living in the same world I am.
3. Re:WTF is Qubes? by slashrio · 2016-07-30 13:09 · Score: 2
  
  As the assumption is that VMs can not access each other's contents, and the owner of the computer is assumed to have protected his access to the host by using a password, individual passwords for individual VMs are not necessary anymore and the user can have sudo access, as there is only one user.
  Qubes OS is not multi-user.
  
  --
  "Trump!!", the new Godwin.
First link describes XSA-148, not XSA-182 by martyros · 2016-07-30 11:12 · Score: 2

The first link is a description of XSA-148, which was published last October, not XSA-182.

--
TCP: Why the Internet is full of SYN.
Re:Really? by darkain · 2016-07-30 11:13 · Score: 2

Take your pick: https://www.cvedetails.com/vul...
Re:Computer security is really, really hard by Dog-Cow · 2016-07-30 17:55 · Score: 2

You can prove code is logically correct, but you can't prove the logic is correct. If you don't understand the difference, don't be a security researcher.
Re: Computer security is really, really hard by Dog-Cow · 2016-07-30 17:57 · Score: 3, Insightful

While you're at it, build your own fucking universe where everything is secure from the subatomic particle on up. If you don't your task is impossible. The end.
Re:Computer security is really, really hard by Time_Ngler · 2016-07-30 20:21 · Score: 3, Insightful

No, you're wrong. All programs have to run on hardware, which can't be proven to run the way its supposed to. Full stop.