Citrix Hypervisor Security Updates

Description of Problem

Modern CPUs contain random number generators that provide entropy (randomness) to the software running on those processors to use for purposes such as generating cryptographic encryption keys. Software can obtain entropy by using the RDRAND and RDSEED instructions.

A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a host to observe the entropy provided by the CPU to other processes, virtual machines or the hypervisor that are, or have recently been, running, irrespective of whether they are running on the same processor core or thread. For example, if a process in one guest VM were to use the RDSEED instruction to get a random value to use as a secret encryption key, another process in a different VM might be able to observe the result of that RDSEED instruction and so determine the secret encryption key.

This issue has the following identifier:

• CVE-2020-0543: Special Register Buffer Data Sampling Advisory

Note that this issue only affects the confidentiality of the entropy returned by the CPU, not how random the value itself is.

Note also that an attacker can only observe the entropy most recently returned by an RDSEED or RDRAND instruction on the system. If a further RDSEED or RDRAND instruction is executed on the system, the older result is no longer observable by an attacker.

Although this is not a vulnerability in the Citrix Hypervisor (formerly Citrix XenServer) product, Citrix is providing hotfixes to mitigate this CPU issue. Hotfixes are available for all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.1. These hotfixes include updated CPU microcode which may have a noticeable performance impact on workloads that make significant use of RDRAND or RDSEED instructions.

---

Mitigating Factors

Only certain Intel CPUs are affected by this issue; customers are recommended to contact their hardware vendor to determine if their system is affected.

Customers with only AMD CPUs are not affected by this issue.

---

What Customers Should Do

Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as soon as their patching schedule permits. The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.1: CTX272278 – <https://support.citrix.com/article/CTX272278&gt;

Citrix Hypervisor 8.0: CTX272277 – <https://support.citrix.com/article/CTX272277&gt;

Citrix XenServer 7.1 LTSR CU2: CTX272276 – <https://support.citrix.com/article/CTX272276&gt;

Citrix XenServer 7.0: CTX272275 – <https://support.citrix.com/article/CTX272275&gt;

---

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/&gt;_.

---

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

---

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

---

Changelog

Date	Change
2020-06-09	Initial Publication

---