SVG:Advisory-SVG-2015-CVE-2015-7835
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-CVE-2015-7835
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-Xen-CVE-2015-7835] Title: EGI SVG Advisory 'Critical' Risk 'Breakout' vulnerability for sites running Xen where users have root inside their Virtual Machines -- CVE-2015-7835. Date: 2015-11-03 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-7835 Introduction ============ Xen is an open source Virtualization platform [R 1] and is used primarily for Cloud virtualization, including by some EGI Cloud Resource Providers. Xen issued several advisories on 29th October 2015. [R 2] One of these SVG considers serious, CVE-2015-7835 [R 3]. In the case when a user inside a Virtual Machine has 'root' access to that Virtual Machine it allows a user to 'breakout' of the Virtual Machine. In EGI this is mainly relevant to EGI Federated Cloud sites where users generally do have root access inside the Virtual machine, which use Xen as their virtualization technology. Details ======= This is serious as it allows a user with root access to a VM to escape to the VM to the 'dom0' and get root there, and easily affect all VMs running on that system. The access complexity is also stated as 'Low' which SVG takes into account during risk assessment. Sites should see [R 3], [R 4], and [R 5]. Details of the bug itself are at [R 6] where it is also described as a 'Critical' bug. Risk category ============= This issue has been assessed as 'Critical' risk by the EGI SVG Risk Assessment Team. Affected software ================= Xen if users are allowed root inside the Virtual Machine. Generally applicable to the EGI Federated Cloud if Xen is used as the virtualization technology. Mitigation ========== See the Xen Advisory [R 3] Component installation information ================================== See the Xen Advisory [R 3] Recommendations =============== All running resources deploying Xen MUST be either patched or have mitigation in place by 2015-11-10 T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Credit ====== EGI SVG was alerted to this these advisories by Alvaro Lopez Garcia References ========== [R 1] http://www.xenproject.org/ [R 2] http://xenbits.xen.org/xsa/ [R 3] http://xenbits.xen.org/xsa/advisory-148.html [R 4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7835 [R 5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7835 [R 6] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-10-29 Advisories issued by Xen 2015-10-29 SVG alerted to these advisories by Alvaro Lopez Garcia. 2015-11-02 EGI Software Vulnerability Group Assessed one of these vulnerabilities as 'Critical' 2015-11-03 Advisory drafted and sent to sites