The Xen Project has patched a serious vulnerability that could allow an attacker in a guest virtual machine to escape and gain the ability to run arbitrary code on the host machine.
The vulnerability is in the QEMU open source machine emulator that ships as part of the Xen hypervisor. The problem is related to the way that one of QEMU’s components handles certain commands.
“A heap overflow flaw was found in the way QEMU’s IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host’s QEMU process corresponding to the guest,” the Xen advisory says.
This vulnerability, which was discovered by Kevin Wolf at Red Hat, affects only Xen systems on x86 systems; ARM-based systems aren’t vulnerable. The affected versions include Xen 4.5.x, 4.4.x, 4.3.x, and 4.2.x, in the qemu-xen-traditional branch and 4.5.x, 4.4.x, and 4.3.x in the qemu-upstream branch.
“An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with “devtype=cdrom”, or the “cdrom” convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process,” the advisory says.
In April, a researcher from CrowdStrike disclosed a vulnerability in QEMU’s virtual floppy disk drive controller that allowed an attacker to escape the VM and attack the host. The bug required the attacker to be an authenticated user on the virtual machine.