Script Error Opens up Security Hole in Xen 3.0.3
A Red Hat update has just been released to close various vulnerabilities in the Xen virtualization solution, one of which was caused by an error in a Python script.
The vulnerability, which has been assigned the CVE number CVE-2007-4993, is in the tools/pygrub/src/GrubConf.py script and was discovered by Joris van Rantwijk. Security researchers Secunia classify the error as moderately critical. It can be exploited by manipulating the Grub bootloader. A successful attacker would have the ability to execute arbitrary commands in domain 0 which has hardware access.
Tavis Ormandy found another bug (CVE-2007-1320) which triggers a heap overflow on video-to-video copy actions in the Cirrus VGA extension. An administrative user in a guest domain might be able to exploit this to execute malicious code outside their own domain.
The third vulnerability, (CVE-2007-1321), which was also discovered by Ormandy, triggers a heap overflow in the Xen NE2000 network driver. If the driver is used, a local administrator has the ability to execute arbitrary malicious code in other domains. The developers point out that Xen does not use the buggy driver by default.
Red Hat has released an update to close all three security holes. Version 3.0.3 of Xen is affected. It is unclear whether other versions have the bugs. Xen users are advised to update their installations as quickly as possible. Red Hat is currently the only source for the updates.
Issue 249/2021
Buy this issue as a PDF
News
-
Steam Deck Linux-Powered Gaming System Set to Take Over the Handheld World
A Linux and KDE-powered portable gaming platform is set to be released by Valve.
-
Linux Mint 20.2 Now Available and Better Than Ever
The developers of Linux Mint have gone a long way to perfecting the desktop experience.
-
Linux Foundation Forming the Open 3D Foundation
The Linux Foundation has announced they will be forming the Open 3D Foundation to accelerate developer collaboration on 3D games and simulations.
-
Nitrux 1.5 Ships with Kernel 5.13
Debian-based Nitrux Linux is the first distribution to ship with kernel 5.13
-
Slimbook Goes All in with a Linux Laptop that Focuses on the Display and the Power
Slimbook is now offering a Linux laptop geared for professionals, with the launch of a new lightweight ultrabook with plenty of power to spare.
-
KDE Plasma 5.22 Released with Better Stability and Usability Across the Board
The KDE Plasma desktop development has kicked into high gear and the latest release reflects newfound popularity and drive behind the open-source environment.
-
Nvidia and Valve Collaborate to Bring DLSS to Linux
Both powerhouses in the gaming industry are trying to make the experience on Linux much improved, by way of DLSS.
-
Kali Linux 2021.2 Official Release Now Available
The latest iteration of security fan-favorite Kali Linux has been released with new tools, themes, and plenty of improvements.
-
Entroware Unleashes a Beast of a Linux Laptop
If you're looking for a portable workhorse, look no further than the Entroware Proteus laptop.
-
System76 Unveils its “Launch” Keyboard
The open-source darling, System76, is about to launch the Launch keyboard and you can pre-order yours now.