Virtual Flaw Leads to Cloud

Tuesday, October 7, 2014 @ 11:10 PM gHale

A patch is available to ward off a malicious hardware virtual machine (HVM) from reading the data from other guests available in the Xen hypervisor.

Xen is an open-source solution for providing virtual private servers, used in cloud computing services like Amazon EC2 (Elastic Compute Cloud) and Rackspace Cloud.

Cloud Security: Provider Mistrust
Cloud Hosts Linux DDoS Trojans
DDoS Attacks Growing, Cloud a Target
Cloud Botnets able to Mine Coin

By leveraging this vulnerability, assigned the CVE-2014-7188 identifier, an attacker could read information from virtual machines running on the same hardware and managed through Xen.

As per Xen’s security advisory, the problem stems from the fact “the MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs.”

Despite the write emulation path created so access to the additional MSRs does not have a negative impact on the other MSRs, “the read path would (attempt to) access memory beyond the single page set up for APIC emulation,” the advisory said.

As a result of the glitch, the host machine could end up crashed or information from other virtual machines and attackers could gain access to the hypervisor itself.

A patch is available to fix the problem that affects Xen 4.1 and up on x86 systems (ARM is not affected).

Credited to Jan Beulich at SUSE, information for CVE-2014-7188 was available to cloud providers prior to its public disclosure, to allow them to take the necessary actions for protecting their customers.

Last week, Amazon started a maintenance update impacting 10 percent of their EC2 systems. This required a reboot of the hardware, making them unavailable for the entire duration of the patching procedure (estimated at a few minutes).

Customers with EC2 instances in multiple availability zones were the least affected by Amazon’s fast action because the data was present in more than one location and could still end up accessed when they would reboot systems in one geographic zone.

“Instances requiring a reboot will be staggered so that no two regions or availability zones are impacted at the same time and they will restart with all saved data and all automated configuration intact,” Amazon said before beginning the system reboots.

The company completed the action on September 30 and said the operation went according to the plan, and that, at the same time, it collaborated with its customers to ensure that everything went smoothly.

Leave a Reply

You must be logged in to post a comment.