New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Significant Xen Security Bug
MeAtExampleDotCom
Member
in General
https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-022-2015.txt - found via https://news.ycombinator.com/item?id=10471912 where you might find useful discussion.
Looks like any guest VM can compromise an unpatched host (and therefore other guests) in a complete and untraceable manner.
If you use Xen, patch now or at least investigate to prove that the version/configuration you are running is not affected, if you have not already done so. If you use a service provider that uses Xen who has not already patched or announced plans to do so, drop them a line in case they have not yet been informed.
Comments
@AnthonySmith mentioned that most hosts won't be affected by this; is it specific to some configuration (other than only PV)?
Could it be that he was meaning most hosts, bigger name players at least, won't be affected by this any more having been informed earlier than the public announcement and already patched?
The complexity involved in 148 is insane, I am patched up anyway but regardless you need to keep in mind that this 'security concern' has been present in Xen for 7 years, anyone smart enough to put it to any use already has.
I felt that 'security concern' has been everywhere around the universe. Well, especially after 09 / 11. XSA has been published this hole around sometime ago.
i.e.: If you used any Xen VPS whatsoever over the past 7 years, you can't be certain that whatever was on it isn't leaked or tampered with.