Lucene search

K
citrixCitrixCTX263684
HistoryNov 12, 2019 - 5:00 a.m.

Citrix Hypervisor Security Update

2019-11-1205:00:00
support.citrix.com
58

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

23.6%

Description of Problem

A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core.

This issue has the following identifier:

• CVE-2019-11135: TSX Asynchronous Abort

A further security issue has been identified in certain CPU hardware that may allow privileged code running in an HVM guest VM to cause the host to crash.

This issue has the following identifier:

• CVE-2018-12207: Machine Check Error on Page Size Change

Although these are not vulnerabilities in the Citrix Hypervisor (formerly Citrix XenServer) product, this bulletin and associated hotfixes provide assistance in mitigating these CPU issues. These hotfixes include updated CPU microcode that address these and other CPU issues and may, depending on workload, have a noticeable performance impact.

In addition to these CPU issues, Citrix is aware of certain issues involving Intel 700 Series network interface cards (NICs) that may require vendor firmware updates. Although these are not vulnerabilities in Citrix Hypervisor, Citrix is providing updated drivers for both the Long-Term Support Release (LTSR) and the latest Current Release (CR) to support new firmware.

These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0.


Mitigating Factors

Customers running only AMD CPUs and with no Intel 700 Series NICs are unaffected by these issues.

CVE-2019-11135 only affects certain Intel CPUs; Citrix expects that details of which models are affected by these issues will be available at <https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu&gt;


What Customers Should Do

Citrix recommends that customers take four actions to mitigate these issues:

i) apply firmware updates; ii) apply hotfixes; iii) apply driver updates and iv) consider enabling/disabling CVE-2018-12207 protection. Note that these steps need not be performed in this order and customers wishing to minimise reboot cycles may wish to consider enabling CVE-2018-12207 and applying the hotfix and driver updates and then updating firmware during the reboot cycle for the hotfix/driver updates.

Customers should also be alert to potential workload-dependent performance impacts from updated microcode.

Applying firmware

Citrix recommends that customers follow the guidance of their hardware vendor with respect to obtaining and applying updated firmware for their hardware, both for the base system firmware (“BIOS”) and for any Intel 700 Series NICs.

Applying hotfixes

Hotfixes have been released to mitigate these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.0: CTX263663 – <https://support.citrix.com/article/CTX263663&gt;

Citrix XenServer 7.6: CTX263662 – <https://support.citrix.com/article/CTX263662&gt;

Citrix XenServer 7.1 LTSR CU2: CTX263661 – <https://support.citrix.com/article/CTX263661&gt;

Citrix XenServer 7.0: CTX263660 – <https://support.citrix.com/article/CTX263660&gt;

Apply driver updates

Citrix has released i40e driver update disks for Intel 700 Series NICs for the LTSR and latest CR release. These may be found at:

Citrix Hypervisor 8.0: CTX263699 – <https://support.citrix.com/article/CTX263699&gt;

Citrix XenServer 7.1 LTSR CU2: CTX263698 – <https://support.citrix.com/article/CTX263698&gt;

Enabling/disabling CVE-2018-12207 protection

This issue may allow privileged code running in an HVM guest VM to crash the host. Mitigating this hardware issue in software has a further performance impact; the size of this further impact is heavily workload dependent but is expected to be noticeable. Citrix therefore recommends that customers carefully consider the relative impacts of not mitigating this issue against the performance impact and enable or disable the CVE-2018-12207 mitigations by following the instructions in CTX263718 – <https://support.citrix.com/article/CTX263718&gt;

Note that CVE-2018-12207 will not be mitigated unless this protection has been explicitly enabled.


What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/&gt;_.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.


Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix


Changelog

Date Change
12th November 2019 Initial Publication

Affected configurations

Vulners
Node
citrixhypervisorRange8.0cumulative_update1long_term_service
OR
citrixxenserverRange7.6
OR
citrixxenserverRange7.1
OR
citrixxenserverRange7.0
OR
citrixhypervisorRange8.0cumulative_update1long_term_service
OR
citrixxenserverRange7.1

CVSS2

4.9

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

23.6%