==================================================================== CERT-Renater Note d'Information No. 2019/VULN140 _____________________________________________________________________ DATE : 15/05/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Citrix XenServer, Citrix Hypervisor. ===================================================================== https://support.citrix.com/article/CTX251995 _____________________________________________________________________ Citrix Hypervisor Security Update Reference: CTX251995 Category : High Created : 14 May 2019 Modified : 14 May 2019 Applicable Products o XenServer 7.6 o XenServer 7.1 LTSR Cumulative Update 2 o XenServer 7.0 o Citrix Hypervisor 8.0 Description of Problem A number of security issues have been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. These issues have the following identifiers: o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling o CVE-2018-12127: Microarchitectural Load Port Data Sampling o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory Although these are not vulnerabilities in the Citrix Hypervisor (formerly Citrix XenServer) product, this bulletin and associated hotfixes provides assistance in mitigating these CPU issues. Mitigating Factors Customers with AMD CPUs are believed to be unaffected by these issues. Some Intel CPUs are believed to be unaffected by these issues. A list of affected Intel CPUs is expected to be made available at https://www.intel.com/ content/www/us/en/security-center/advisory/intel-sa-00233.html Identification of the specific CPU(s) present on a Citrix Hypervisor machine may be obtained by typing the command grep "model name" /proc/cpuinfo in the Dom0 console. What Customers Should Do Full mitigation of these issues for systems with vulnerable CPUs requires all of: 1. Updates to Citrix Hypervisor 2. Updates to the CPU microcode 3. Disabling CPU hyper-threading (also known as simultaneous multi-threading) In addition, updates to guest operating systems may be required to protect guest VMs from code running within that same VM. Customers are advised to follow their operating system provider's recommendations. Likewise, updates to the host system firmware ("BIOS updates") may be required and Citrix recommends that you follow the guidance of your hardware vendor for any updates that they may provide. Updates to Citrix Hypervisor Citrix has released a hotfix that contains mitigations for these CPU issues. This hotfix can be found on the Citrix website at the following location: Citrix XenServer 7.1 LTSR CU2: CTX250039 - https://support.citrix.com/article/CTX250039 Citrix intends to release hotfixes for the following product versions in the near future: Citrix Hypervisor 8.0 Citrix XenServer 7.6 Citrix XenServer 7.0 This bulletin will be updated when these hotfixes are available. Updates to the CPU microcode The hotfixes released with this bulletin contain microcode for all supported CPU models for which Intel has presently made updates available. This microcode will be automatically applied each time the system boots. Any further microcode updates may be installed by means of system firmware updates ("BIOS updates") and Citrix strongly recommends that you follow the guidance of your hardware vendor for any updates that they may provide. CPUs that are vulnerable to these issues, and for which the CPU manufacturer has not provided microcode updates, will not have full mitigation of these issues. Once the hotfix has been applied, customers with vulnerable CPUs can determine if the microcode required to mitigate these issues has been loaded into the CPU by typing the command xl dmesg | grep "Hardware features:" in the Dom0 console shortly after the host has rebooted to apply the hotfix. If the output includes the text MD_CLEAR, updated microcode is present. Disabling CPU hyper-threading Mitigation of these issues requires disabling hyper-threading on vulnerable CPUs. Customers should evaluate their workload and determine if the mitigation of disabling hyper-threading is required in their environment, and to understand the performance impact of this mitigation. Citrix recommends disabling hyper-threading in deployments with untrusted workloads. The following document provides the steps to disable hyper-threading via the Xen command line: https://support.citrix.com/article/CTX237190 Note that disabling hyper-threading will result in the number of available pCPUs being reduced and is likely to adversely impact performance. The following document covers additional issues that may be encountered in environments where customers have over-provisioned or pinned pCPUs (for example when hyper-threads are disabled): https://support.citrix.com/article/CTX236977 Changelog +-------------------------------+---------------------------------------------+ |Date |Change | +-------------------------------+---------------------------------------------+ |14th May 2019 |Initial publication | +-------------------------------+---------------------------------------------+ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================