Citrix XenServer Multiple Security Updates (August 2018)

Several security issues have been identified that impact XenServer. Customers should consider these issues and determine possible impact to their own systems.

These updates provide a mitigation for recently disclosed issues affecting Intel CPUs.  These issues, if exploited, could allow malicious unprivileged code in guest VMs to read arbitrary host memory, including memory allocated to other guests.

In addition, this update also addresses these vulnerabilities:

  • CVE-2018-15471: (High) Linux netback driver OOB access in hash handling.

This issue, if exploited, could allow malicious privileged code in a guest to compromise the host.

  • CVE-2018-14007: (High) XenServer Directory Traversal

This issue, if exploited, could allow an attacker on the management network (or who can influence the behavior of a user on the management network), to compromise the host.

  • CVE-2018-15468: (Medium) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

This issue, if exploited, could allow malicious privileged code in an HVM guest running on an Intel CPU to cause the host to become unresponsive.

All of these issues affect the following versions of Citrix XenServer:

  • Citrix XenServer 7.5
  • Citrix XenServer 7.4
  • Citrix XenServer 7.1 LTSR CU1

In addition, CVE-2018-3620, CVE-2018-3646 and CVE-2018-15468 also affect Citrix XenServer 7.0

Mitigating Factors

  • Systems based on AMD CPUs have reduced exposure and are believed to be vulnerable only to CVE-2018-14007 andCVE-2018-15471.

What Customers Should Do

Updates have been released to address these issues. Citrix recommends that affected customers install these updates as soon as possible.  Note that these updates are not live patchable.  The updates can be downloaded from the following locations:

Citrix XenServer 7.0

Citrix XenServer 7.1 CU1

Citrix XenServer 7.4

Citrix XenServer 7.5

In addition, Citrix recommends customers review the below information and take the appropriate actions.

  • As documented in Security Recommendations When Deploying Citrix XenServer, Citrix recommends that the XenServer management interface is placed on an isolated management network.
  • Mitigation for the SMM portion of CVE-2018-3620 may require updating the host firmware. Citrix recommends that customers contact their hardware vendor for further information on these firmware upgrades.
  • Mitigation of CVE-2018-3620 for PV guests may result in a performance reduction until the PV guest’s kernel is updated to be aware of CVE-2018-3620 mitigations.  Citrix recommends updating all PV guests to kernel versions that are aware of CVE-2018-3620 to avoid this performance reduction.
  • Full mitigation of CVE-2018-3646 also requires the disabling of hyper-threads on Intel CPUs. Customers should evaluate their workload and determine if the mitigation of disabling hyper-threading is required in their environment, and to understand the performance impact of this mitigation. The following document provides the steps to disable hyper-threading via the Xen command line:

Note that disabling hyper-threading may result in the number of available pCPUs being reduced, and adversely impact performance.  The following document covers additional issues that may be encountered in environments where customers have over-provisioned or pinned pCPUs (for example when hyper-threads are disabled):

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: