Several security issues have been identified that impact XenServer. Customers should consider these issues and determine possible impact to their own systems.
These updates provide a mitigation for recently disclosed issues affecting Intel CPUs. These issues, if exploited, could allow malicious unprivileged code in guest VMs to read arbitrary host memory, including memory allocated to other guests.
In addition, this update also addresses these vulnerabilities:
- CVE-2018-15471: (High) Linux netback driver OOB access in hash handling.
This issue, if exploited, could allow malicious privileged code in a guest to compromise the host.
- CVE-2018-14007: (High) XenServer Directory Traversal
This issue, if exploited, could allow an attacker on the management network (or who can influence the behavior of a user on the management network), to compromise the host.
- CVE-2018-15468: (Medium) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS
This issue, if exploited, could allow malicious privileged code in an HVM guest running on an Intel CPU to cause the host to become unresponsive.
All of these issues affect the following versions of Citrix XenServer:
- Citrix XenServer 7.5
- Citrix XenServer 7.4
- Citrix XenServer 7.1 LTSR CU1
In addition, CVE-2018-3620, CVE-2018-3646 and CVE-2018-15468 also affect Citrix XenServer 7.0
- Systems based on AMD CPUs have reduced exposure and are believed to be vulnerable only to CVE-2018-14007 andCVE-2018-15471.
What Customers Should Do
Updates have been released to address these issues. Citrix recommends that affected customers install these updates as soon as possible. Note that these updates are not live patchable. The updates can be downloaded from the following locations:
Citrix XenServer 7.0
- CTX237090 – https://support.citrix.com/article/CTX237090
- CTX237092 – https://support.citrix.com/article/CTX237092
Citrix XenServer 7.1 CU1
- CTX236908 – https://support.citrix.com/article/CTX236908
- CTX237088 – https://support.citrix.com/article/CTX237088
- CTX237089 – https://support.citrix.com/article/CTX237089
Citrix XenServer 7.4
- CTX236909 – https://support.citrix.com/article/CTX236909
- CTX237086 – https://support.citrix.com/article/CTX237086
- CTX237087 – https://support.citrix.com/article/CTX237087
Citrix XenServer 7.5
- CTX236910 – https://support.citrix.com/article/CTX236910
- CTX237085 – https://support.citrix.com/article/CTX237085
- CTX237080 – https://support.citrix.com/article/CTX237080
In addition, Citrix recommends customers review the below information and take the appropriate actions.
- As documented in Security Recommendations When Deploying Citrix XenServer, Citrix recommends that the XenServer management interface is placed on an isolated management network.
- Mitigation for the SMM portion of CVE-2018-3620 may require updating the host firmware. Citrix recommends that customers contact their hardware vendor for further information on these firmware upgrades.
- Mitigation of CVE-2018-3620 for PV guests may result in a performance reduction until the PV guest’s kernel is updated to be aware of CVE-2018-3620 mitigations. Citrix recommends updating all PV guests to kernel versions that are aware of CVE-2018-3620 to avoid this performance reduction.
- Full mitigation of CVE-2018-3646 also requires the disabling of hyper-threads on Intel CPUs. Customers should evaluate their workload and determine if the mitigation of disabling hyper-threading is required in their environment, and to understand the performance impact of this mitigation. The following document provides the steps to disable hyper-threading via the Xen command line: https://support.citrix.com/article/CTX237190
Note that disabling hyper-threading may result in the number of available pCPUs being reduced, and adversely impact performance. The following document covers additional issues that may be encountered in environments where customers have over-provisioned or pinned pCPUs (for example when hyper-threads are disabled): https://support.citrix.com/article/CTX236977