The widely reported Xen hypervisor flaw was “media hype” that over exposed a flaw that was not as critical as claimed.
Speaking to IT Security Guru at the Black Hat Europe in Amsterdam, Rafal Wojtczuk, security researcher at Bromium said that the revelation of the vulnerability was “really not that interesting” as it was not that critical as the virtual machine can trigger the buffer, and the impact is that there is some data leakage on the hypervisor memory, or allows you to crush the hypervisor if you can access it. “It is not very interesting and in my opinion it received an unjustified amount of interest,” he said.
Media coverage suggested that the bug in Xen may allow a malicious virtual machine to read data from or crash other servers. Xen is used by a number of public and private cloud providers to support infrastructure-as-a-service (IaaS) offerings and the flaw, which was discovered by Jan Beulich at SUSE, affects servers configured to support hardware-assisted virtualisation (HVM) mode virtualisation.
It was deemed enough of a threat to push Rackspace to issue a statement to Arstechnica that confirmed that it was forced to reboot some of its cloud servers (Standard, Performance 1 & Performance 2) and cloud Big Data/Hadoop customers’ to patch the security vulnerability affecting certain versions of Xen.
Rackspace CEO and president Taylor Rhodes, said: “We decided the lesser evil was to proceed immediately, at which time we notified you, and our partners in the Xen community, of the need for an urgent server reboot. Even then, to avoid alerting cyber criminals, we didn’t mention Xen as the reason for the reboot.”
Wojtczuk told IT Security Guru that although the threat is worth considering, the impact is minimal. He said: “Even if you have a vulnerability in a version of Xen and exploit the issue, all you can do is leak 4KB of memory from the host which is not really important, or you can crush the hypervisor. That is more of a concern if you are a cloud vendor that runs a virtual machine and someone can crush it. It is bad, but not catastrophic.”
He went on to say that is the worst case scenario, but in his opinion it is not critical and it doesn’t “justify any sort of panic”.
He said: “It doesn’t affect integrity and one virtual machine cannot attack other virtual machines. Crushing the hypervisor or leaking memory is not what you would like to happen, but it is not critical, and not nice but there are worse issues happening.”