EGI SVG Advisories

Advisory-SVG-2015-CVE-2015-7835

** WHITE information - Unlimited distribution allowed                       **
** see https://go.egi.eu/tlp for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-Xen-CVE-2015-7835]

Title:   EGI SVG Advisory 'Critical' Risk 'Breakout' vulnerability for sites
         running Xen where users have root inside their Virtual Machines --
         CVE-2015-7835.

Date:    2015-11-03
Updated:

URL:     https://advisories.egi.eu/2015/Advisory-SVG-2015-CVE-2015-7835

Introduction
============

Xen is an open source Virtualization platform [R 1] and is used primarily for
Cloud virtualization, including by some EGI Cloud Resource Providers.

Xen issued several advisories on 29th October 2015. [R 2]

One of these SVG considers serious, CVE-2015-7835 [R 3].

In the case when a user inside a Virtual Machine has 'root' access to that
Virtual Machine it allows a user to 'breakout' of the Virtual Machine.   In EGI
this is mainly relevant to EGI Federated Cloud sites where users generally do
have root access inside the Virtual machine, which use Xen as their
virtualization technology.


Details
=======

This is serious as it allows a user with root access to a VM to escape to the
VM to the 'dom0' and get root there, and easily affect all VMs running on that
system.  The access complexity is also stated as 'Low' which SVG takes into
account during risk assessment.

Sites should see [R 3], [R 4], and [R 5].

Details of the bug itself are at [R 6] where it is also described as a
'Critical' bug.


Risk category
=============

This issue has been assessed as 'Critical' risk by the EGI SVG Risk Assessment
Team.


Affected software
=================

Xen if users are allowed root inside the Virtual Machine.

Generally applicable to the EGI Federated Cloud if Xen is used as the
virtualization technology.


Mitigation
==========

See the Xen Advisory [R 3]


Component installation information
==================================

See the Xen Advisory [R 3]


Recommendations
===============

All running resources deploying Xen MUST be either patched or have mitigation
in place by 2015-11-10  T21:00+01:00.

Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.


Credit
======

EGI SVG was alerted to this these advisories by Alvaro Lopez Garcia


References
==========

[R 1] http://www.xenproject.org/

[R 2] http://xenbits.xen.org/xsa/

[R 3] http://xenbits.xen.org/xsa/advisory-148.html

[R 4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7835

[R 5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7835

[R 6] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so
suggestions and comments are welcome.


Timeline
========

Yyyy-mm-dd

2015-10-29 Advisories issued by Xen
2015-10-29 SVG alerted to these advisories by Alvaro Lopez Garcia.
2015-11-02 EGI Software Vulnerability Group Assessed one of these
           vulnerabilities as 'Critical'
2015-11-03 Advisory drafted and sent to sites