Wednesday, November 19, 2014

Serious Vulnerability To Virtualized Servers Discovered In Xen Project

The Xen Project has revealed last month a lot of details on a serious vulnerability in the Xen hypervisor, one that could put the security of a lot of virtualized servers at risk. Xen is a free, open-source hypervisor that is used to create and run virtual machines and is widely used by providers of cloud computing and virtual private server hosting companies.

The security vulnerability forced Amazon Web Services and Rackspace to reboot some of their customer's virtualized servers when it was discovered. Amazon and Rackspace were among some of the major cloud providers that Xen disclosed the vulnerability to, which is being tracked as CVE-2014-7188.

Do you have a server migration project? Get a server rental fast.

This vulnerability allows a virtual machine created using Xen's hardware-assisted virtualization (HVM) to read data that is stored by other HVM guests sharing the same physical hardware. This vulnerability breaks a crucial security barrier in multi-tenant virtual environments. A malicious HVM guest could exploit the vulnerability to crash the host server, according to a security advisory published by the Xen Project.

The vulnerability only affects Xen running on x86 systems and does not affect ARM or servers virtualized with Xen's paravirtualization (PV) mode instead of HVM. Regardless, the issue is likely to affect a very large number of servers. Amazon was forced to reboot nearly 10% of its Elastic Cloud Computer (EC2) servers and a similar effort from Rackspace affected a quarter of its 200,000 customers.

Amazon scheduled a zone by zone reboot so that they didn't affect two regions or availability zones at the same time. According to a statement released by the company, "The zone by zone reboots were completed as planned and we worked very closely with our customers to ensure that the reboots went smoothly for them."

Rackspace was not as fortunate as Amazon in its process to fix the issue. Taylor Rhodes, CEO of Rackspace, sent out an email to customers about the vulnerability and Rackspace's efforts to correct it and in it stated that the company "dropped a few balls" in the process. "Some of our reboots, for example, took much longer than they should and some of our notifications were not as clear as they should have been. We are making changes to address those mistakes," Rhodes stated.

The problems with this seem to have been fixed but you can be sure that the Xen Project is still working on making sure that something like this doesn't happen again.