Xen patches three bugs that allow guest-host takeover

The Xen Project has disclosed three bugs in its eponymous hypervisor – all of which would allow a malicious VM administrator to take control of a host system.

CVE-2022-26364 and CVE-2022-26363 are the subject of a single security advisory that warns the flaws mean "Malicious x86 PV guest administrators can escalate privilege so as to control the whole system."

The bad news is that all versions of Xen have the problem, which is caused by an incorrect conclusion that a page is safe to access. The good news is that Xen has a sincere belief that Xen on Intel's Ivy Bridge or later architectures is not impacted by the vulnerability. The flaw also impacts only paravirtualized guests that have access to a host's devices. Not sharing devices with guests will make the problem moot.

Ivy Bridge debuted in 2012 and its production run ended in 2015, but it is surely folly to assume that means trivially few boxes are threatened by CVE-2022-26364. The Register has heard too many stories of servers that just keep running, and evade IT estate inventories, to suggest this flaw can be ignored.

The Xen Project certainly did not. The prevalence of the hypervisor in hyperscale and embedded environments saw it issue an advisory under embargo. That advisory was revised four times, suggesting a bit of back and forth.

• Xen and the art of hypervisor upgrades
• SiFive's latest top-end RISC-V CPU core supports proper virtualization in hardware
• XCP-NG project teases DPU-as-a-Service on Scaleway cloud
• Xen releases a new version 4.15 after a slightly delayed development process

The other flaw is CVE-2022-26362 which also allows guest-host takeover. Again, only PV guests are a risk, but guest-host takeover is a possibility. If you don't run PV guests, you're in the clear.

Xen's advisory for this flaw again explains that it's a problem with pages.

Google's Project Zero found both flaws, but fear not – the G-Cloud runs a hardened version of KVM, not Xen. ®