A new vulnerability in emulation code used by the Xen virtualization software can allow attackers to bypass the critical security barrier between virtual machines and the host operating systems they run on.
The vulnerability is located in the CD-ROM drive emulation feature of QEMU, an open source hardware emulator that’s used by Xen, KVM and other virtualization platforms. The flaw is tracked as CVE-2015-5154 in the Common Vulnerabilities and Exposures database.
The Xen Project released patches for its supported releases Monday and noted that all Xen systems running x86 HVM guests without stubdomains and which have been configured with an emulated CD-ROM drive model are vulnerable.
Successful exploitation can allow a user with access to a guest OS to take over the QEMU process and execute code on the host OS. That violates one of the primary safeguards of virtual machines that is designed to protect the host OS from the actions of a guest.
Fortunately, Xen-based virtualization systems that are not configured to emulate a CD-ROM drive inside the guest OS are not affected, which will probably be the case for most data centers.
The vulnerability is similar to another one reported in May in QEMU’s floppy drive emulation code. However, that flaw, which was dubbed Venom, was more serious because the vulnerable code remained active even if the administrator disabled the virtual floppy drive for a virtual machine.
Multiple Linux distributions, including Red Hat Enterprise Linux 7 and SUSE Linux Enterprise 12 received patches for QEMU, KVM or Xen.