And you were wondering why Amazon had rolling reboots of EC2 recently…
From the Whitepaper “FROM RING 3 TO RING0: EXPLOITING THE XEN X86 INSTRUCTION EMULATOR” (bitdefender):
While a VMM can provide a considerable level of security by isolation, it is generally true that by increasing the code-base that runs on a given host system one also increases the attack surface. Instruction emulators are a critical part of any hypervisor, as they provide the means to virtualize certain devices or handle certain types of faults (such as EPT violations or Invalid Opcode Exceptions). However, creating an emulator is not an easy task, and as with any other piece of software, any issue in the emulation of an instruction might be exploited by an attacker in various ways. If, for example, the emulator fails to properly validate an instruction as precisely as a physical CPU does, an attacker might leverage this in order to gain elevated privileges or cause denial of service. This is an important issue especially, since such problems can be successfully exploited on virtually any x86 operating system. The Xen hypervisor has several vulnerabilities involving the x86 emulator, due to the lack of validation of privilege, which enables the emulation of several sensitive instructions from ring-3: LMSW, HLT, INT, LIDT, LGDT. Some of them have a minor effect (LMSW, HLT), others can cause denial of service (INT) and some facilitate escalation of privileges (LIDT, LGDT) by leading to arbitrary code execution in ring-0. Additionally, a method to bypass Intel SMEP is presented, in the context of the discovered vulnerabilities.
Vulnerabilities in VMMs (Virtual Machine Monitors) are not something new. Hyper-V, Xen or VMware all had vulnerabilities at some point (and they probably still do – they’re yet to be discovered). Xen Security Advisory (Xen Security Advisory, n.d.) and VMware Security Advisories (VMware, n.d.) contain a complete list of vulnerabilities identified either directly in the VMM or in other components, while a good example for Hyper-V is MS13-092 (Luft, n.d.). Some vulnerabilities may be used to cause a denial of service, while others can be used to gain elevated privileges. In this whitepaper we will describe two vulnerabilities identified in the Xen hypervisor, which allow for denial of service and elevation of privileges inside the guest. In addition, a method to bypass SMEP in the context of the presented vulnerabilities is disclosed.
XEN X86 INSTRUCTION EMULATOR VULNERABILITIES
Two distinct vulnerabilities have been discovered in the Xen x86 instruction emulator, which also affect other platforms based on it, such as XenServer (tested on XenServer 6.2, build date 2013-10-15, build number 75966c), XenClient (tested on XenClient 5.1.3), XenClient XT (tested on XenClient XT 3.2.2 Trial, build 132629), Amazon and perhaps (although not tested) Oracle VM and others. Versions from at least 3.2.x onwards are vulnerable (older versions have not been tested) to:
- Logic errors in software interrupt (INT instruction) handling (XSA-106, CVE-2014-7156)
- Insufficient privilege-validations for HLT, LMSW, LIDT, LGDT instructions (XSA-105, CVE-2014-7155)
- Amazon Blog: EC2 Maintenance Update
- Ars Technica: Security bug in Xen may have exposed Amazon, other cloud services
- eWeek: Rackspace Joined Amazon in Patching, Rebooting Cloud Servers
- Information Week: Amazon Reboots Cloud Servers, Xen Bug Blamed