Security Vulnerability Found in Xen Virtualization Software

Last week, a security vulnerability was reported in the open source Xen hypervisor.

Secunia released an advisory that stated that there was a vulnerability found in Xen that could be exploited by malicious users that have root privileges. These root users of a guest domain could execute arbitrary commands in domain 0 via specially crafted entries in grub.conf when the guest system is booted.

The problem stems from a bug found in the /tools/pygrub/src/GrubConf.py script, which reads data from the configuration of the Grub boot manager and tries to set parameters by using the “exec” command without proper sanitation.

On the next reboot of the guest domain, an offending configuration file can be used to pass commands to the shell via the script running in domain 0 and then execute the offending command. Joris van Rantwijk reported the vulnerability, and there is an example exploit found in a XenSource Bugzilla entry.

The vulnerability was detected in Xen 3.0.3, although other versions might also be affected.

XenSource was quick to supply a hotfix, security update 2007-001. The security update fixes the vulnerability in the XenServer v4 line of products. XenSource strongly recommends all users update their environment accordingly. The process needs to be applied to each server in your pool.

To download the patch and get instructions from XenSource, go here.

Virtual Iron, another server virtualization platfom that is designed to incorporate the open source Xen hypervisor, quickly came out and claimed the following:

Our software is not impacted by this vulnerability at all.

• Virtual Iron does not grant any user access to dom0.
• Virtual Iron does not use GrubConf.py. It is not even present in our dom0.
• Virtual Iron supports only unmodified operating systems (HVM). GrubConf.py is used to bootstrap paravirtualized guests.