New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[(Major) Xen Security Issue] XSA-108 under embargo, Amazon rebooting everything
Amazon is rebooting all their VM's, Xen has an embargo'd security issue: http://xenbits.xen.org/xsa/ (XSA-108) and it will be public on October 1st.
I wonder what it is, and why it is so serious. Might be a hypervisor exploit, or cross-vm access or something. Probably not the bash bug.
I expect a lot of LET providers will be affected by this.
Anybody with inside info?
Comments
It must be confidential. Leaking such info and they lost their job.
It's embargoed, and confidential for a reason.
I doubt anyone would think sharing it on a public forum to be a good idea.
oh for fucks sake!
from where did you find out that it is security issue ?
I think the fact that Amazon are rebooting their infrastructure on short notice is a fair sign this is security related.
@AnthonySmith Add Rackspace to that list.. so it must be something big: https://status.rackspace.com/
Opened a ticket with soluslabs, from the webinar they claim to now be a collectively bigger player in the market than Amazon and as onapp is Xen primary it would make sense that they release an update and or are aware of this very soon.
And to be fair.... I got a reply back within 10 minutes letting me know they are aware and they are investigating.
I find it very intersting and not sure if its "fair" that bug's and patches will be with held. Right now amazon, rackspace and i am sure a few other major compines will be given access to the patch a day or 2 ahead of time of the release. everyone else will have to wait for the patch to go public getting the patch the same time hackers get a chance to attack them while big compaines are already protected.
I understand why they don't tell the world but... I do not believe its fair because X company only makes X or only has X customers should be held back from something like this. Unless Amazon figured it out themselves, fixed it and then released the patch for other people. That would be more understandable.
Just got an email from @OnePound that they will update their servers tomorrow
It doesn't look like Linode's affected, per caker's reply: https://forum.linode.com/viewtopic.php?f=20&t=11331
Or that they're able to patch w/o rebooting.
This is a list of all the companies that get disclosure, since SolusVM is part of OnApp, and listed on the pre-disclosure list, they are privy to the same information as Amazon. Would be interesting to see what comes of this. Linode is also a part of this list, wonder why Amazon is choosing to reboot everything, and Linode is not. Must be a feature that Amazon uses that is the problem..
Organizations on the pre-disclosure list:
This is a list of organisations on the pre-disclosure list (not email addresses or internal business groups).
Amazon
CentOS
Citrix
Debian
Gandi.net
GoGrid.com
Host Virtual Inc.
Intel
Invisible Things Lab
Linode
Mageia
Novell
OnApp.com
Oracle
prgmr.com
Rackspace
Redhat
SolusVM.com
SuSE
Ubuntu
Xen Made Easy
Xen Security Response Team
Xen 3.4 stable tree maintainer
Lets pertend that its something that requires a restart. Linode may have san storage for all of there customer data. Where as amazon has instance storage so amazon is then unable to do migration of vms because machines would loose there instance storage that some poeple use.
Amazon says they're only rebooting less than 10% of their EC2 infra.
I read that this was just a smoke screen as almost 90% of it actually got rebooted.
rebooting ? @AnthonySmith
I guess so, however because it has been put under limited release the reboots will not be until the release date.
couldn't someone just figure out what's different on their amazon/rackspace VM now after the reboot compared to what it was previously?
Not really. Xen runs on the host not the VM
We signed up for the pre-disclosure list and have now received a copy of the XSA -- It is unlikely to affect the LET/LEB community very much.
DISCLOSURE :O
I know you cant say but I just hope you are not saying that because it does not affect 3.x
well, at least we will have good time.
How many hosts are here with big xen deployments ?
Just a day left before this is disclosed.
Setup a cron job to update the system automatically every 5 minutes starting at midnight
It will require a reboot based on amazons response
Setup the cron job to update the system every 5 minutes and reboot the Server every 10 minutes :P
Yay, HVM only:
HVM guests are the only ones that can reproduce the bug but PV guests can have their memory read if they share a host with a HVM guest that hasn't been patched and rebooted.