Is Shellshock Overshadowing the Xen Threat?


On September 24th,  multiple critical vulnerabilities were disclosed in the Bourne Again Shell (BASH), it was given the catchy name of “Shellshock”, and then a media frenzy ensued. What might have gone unnoticed in all the commotion was that on the same day, Amazon, Rackspace, and other cloud computing services announced emergency updates and reboots to virtual machine host systems.

Amazon's Public Response

The reason for all of this activity by cloud providers was not initially clear, and Amazon only released an explanation after complaints from customers. Since September 10th, there have been four publicly disclosed issues in the Xen software used to power AWS and those of other providers.  The Xen software is a virtual machine host that allows you to run many virtual systems on a limited number of physical systems. The host system is isolated from the guest system and is supposed to be immune to any changes or issues that occur on the guest system.

How Attackers can Exploit the Xen Vulnerability

Three of the vulnerabilities announced in September do exactly the opposite. They allow attackers with a guest system on vulnerable Xen hosts to cause a denial-of-service condition on the host, and therefore impact every other guest system on that host. Even if you accept Amazon’s estimate that only 10% or less of their systems would be impacted, that is 10% of their capacity at risk. If you happen to have all of your servers on vulnerable AWS hosts, that would be 100% of your capacity.

Unfortunately, the Xen disclosures might not be over. The scheduled release date for information regarding the vulnerabilities affecting AWS is Oct 1st, and it is unclear whether the issues revealed on the same day as Shellshock were the same issues Amazon was fixing.

Bitium's Response to Xen Vulnerability

Bitium uses Amazon's Cloud Computing Services (AWS), which is the leading provider of cloud computing services (Gartner agrees). We do this because our customers rely upon Bitium, and AWS has allowed us to provide 100% availability. Once we were notified by Amazon of the impending reboots, precautionary measures were taken to help mitigate any potential impact and maintain the level of service our customers have come to expect.  We will monitor this situation and keep you informed of any updates regarding this issue.


  • CVE-2014-7156  Xen x86 Emulation Error Lets Local Guest System Users Deny Service on the Host System

  • CVE-2014-7154  Xen HVMOP_track_dirty_vram Race Condition Lets Local Guest Users Deny Service on the Host System

  • CVE-2014-6268  Xen Initialization Flaw in evtchn_fifo_set_pending() Lets Local Guest Systems Crash the Host System