==================================================================== CERT-Renater Note d'Information No. 2018/VULN262 _____________________________________________________________________ DATE : 31/08/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix XenServer versions 7.5, 7.4, 7.1 LTSR CU1, 7.0. ===================================================================== https://support.citrix.com/article/CTX236548 _____________________________________________________________________ CTX236548 XenServer Multiple Security Updates Security Bulletin | High | Created: 14 Aug 2018 | Modified: 21 Aug 2018 Applicable Products XenServer 7.0 XenServer 7.1 LTSR Cumulative Update 1 XenServer 7.4 XenServer 7.5 Description of Problem Several security issues have been identified that impact XenServer. Customers should consider these issues and determine possible impact to their own systems. These updates provide a mitigation for recently disclosed issues affecting Intel CPUs. These issues, if exploited, could allow malicious unprivileged code in guest VMs to read arbitrary host memory, including memory allocated to other guests. CVE-2018-3620: (High) L1TF - Operating Systems and SMM CVE-2018-3646: (High) L1TF - Hypervisors In addition, this update also addresses these vulnerabilities: CVE-2018-15471: (High) Linux netback driver OOB access in hash handling. This issue, if exploited, could allow malicious privileged code in a guest to compromise the host. CVE-2018-14007: (High) XenServer Directory Traversal This issue, if exploited, could allow an attacker on the management network (or who can influence the behavior of a user on the management network), to compromise the host. CVE-2018-15468: (Medium) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS This issue, if exploited, could allow malicious privileged code in an HVM guest running on an Intel CPU to cause the host to become unresponsive. All of these issues affect the following versions of Citrix XenServer: Citrix XenServer 7.5 Citrix XenServer 7.4 Citrix XenServer 7.1 LTSR CU1 In addition, CVE-2018-3620, CVE-2018-3646 and CVE-2018-15468 also affect Citrix XenServer 7.0 Mitigating Factors Systems based on AMD CPUs have reduced exposure and are believed to be vulnerable only to CVE-2018-14007 andCVE-2018-15471. What Customers Should Do Updates have been released to address these issues. Citrix recommends that affected customers install these updates as soon as possible. Note that these updates are not live patchable. The updates can be downloaded from the following locations: Citrix XenServer 7.0 CTX237090 - https://support.citrix.com/article/CTX237090 CTX237092 - https://support.citrix.com/article/CTX237092 Citrix XenServer 7.1 CU1 CTX236908 - https://support.citrix.com/article/CTX236908 CTX237088 - https://support.citrix.com/article/CTX237088 CTX237089 - https://support.citrix.com/article/CTX237089 Citrix XenServer 7.4 CTX236909 - https://support.citrix.com/article/CTX236909 CTX237086 - https://support.citrix.com/article/CTX237086 CTX237087 - https://support.citrix.com/article/CTX237087 Citrix XenServer 7.5 CTX236910 - https://support.citrix.com/article/CTX236910 CTX237085 - https://support.citrix.com/article/CTX237085 CTX237080 - https://support.citrix.com/article/CTX237080 In addition, Citrix recommends customers review the below information and take the appropriate actions. As documented in Security Recommendations When Deploying Citrix XenServer, Citrix recommends that the XenServer management interface is placed on an isolated management network. Mitigation for the SMM portion of CVE-2018-3620 may require updating the host firmware. Citrix recommends that customers contact their hardware vendor for further information on these firmware upgrades. Mitigation of CVE-2018-3620 for PV guests may result in a performance reduction until the PV guest’s kernel is updated to be aware of CVE-2018-3620 mitigations. Citrix recommends updating all PV guests to kernel versions that are aware of CVE-2018-3620 to avoid this performance reduction. Full mitigation of CVE-2018-3646 also requires the disabling of hyper-threads on Intel CPUs. Customers should evaluate their workload and determine if the mitigation of disabling hyper-threading is required in their environment, and to understand the performance impact of this mitigation. The following document provides the steps to disable hyper-threading via the Xen command line: https://support.citrix.com/article/CTX237190 Note that disabling hyper-threading may result in the number of available pCPUs being reduced, and adversely impact performance. The following document covers additional issues that may be encountered in environments where customers have over-provisioned or pinned pCPUs (for example when hyper-threads are disabled): https://support.citrix.com/article/CTX236977 Acknowledgements Citrix thanks Ronald Volgers of Computest.nl for working with us on CVE-2018-14007 to protect Citrix customers. What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix Changelog Date Change 14 August 2018 Initial Issue 21 August 2018 Updated CVE identifiers for TBA entries ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================