====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN471
_____________________________________________________________________

DATE                : 24/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix Hypervisor Citrix XenServer
                         versions up to and including 8.2 LTSR.

=====================================================================
https://support.citrix.com/article/CTX280451
_____________________________________________________________________

Citrix Hypervisor Security Update

Reference: CTX280451

Category : High

Created  : 24 Aug 2020

Modified : 24 Aug 2020

Applicable Products

  o Citrix Hypervisor
  o XenServer

Description of Problem

Two issues have been identified in Citrix Hypervisor that may, in
certain configurations, allow privileged code in an HVM guest VM to
execute code in the control domain, potentially compromising the host.

These vulnerabilities affect all currently supported versions of Citrix
XenServer up to and including Citrix Hypervisor 8.2 LTSR.

These issues have the following identifiers:

  o CVE-2020-14364
  o CVE-2018-17958


Mitigating Factors

For customers who have not assigned PCI passthrough devices to
untrustworthy guests (using the PCI-passthrough functionality of Citrix
Hypervisor) the vulnerability is reduced to executing code within a
deprivileged environment within the control domain.


What Customers Should Do

Hotfixes have been released to address these issues. Citrix recommends
that affected customers install these hotfixes as soon as practicable.
The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.2 LTSR: CTX280214 - https://support.citrix.com/article/
CTX280214

Citrix Hypervisor 8.1: CTX280213 -
https://support.citrix.com/article/CTX280213

Citrix Hypervisor 8.0: CTX280212 -
https://support.citrix.com/article/CTX280212

Citrix XenServer 7.1 LTSR CU2: CTX280211 -
https://support.citrix.com/article/
CTX280211

Citrix XenServer 7.0: CTX280210 -
https://support.citrix.com/article/CTX280210

Once the hotfix has been applied, the affected guest HVM VMs will need
to be restarted or migrated to an updated host to make the remediation
effective.

Customers on Citrix Hypervisor 8.0 should be aware that this version
will become End of Life on 31 ^ st August 2020 and that Citrix
recommends that customers upgrade to a newer version.


Acknowledgements


Changelog

 Changelog
Date            Change
2020-08-24      Initial Publication

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================