Citrix XenServer Multiple Security Updates

Due to concerns about the robustness of some of the Intel microcode updates included in the earlier hotfixes for these issues (XS71ECU1009, XS72E013 and XS73E001), Citrix has superseded these hotfixes with new hotfixes listed below. Customers are strongly recommended to apply these new hotfixes.

These new hotfixes may be applied to systems that have not previously installed hotfixes XS71ECU1009, XS72E013 or XS73E001 as well as those that have. Customers who have not yet installed hotfixes XS71ECU1009, XS72E013 or XS73E001 are strongly recommended not to install those updates but move directly to the new updates listed below.

These new updates remove the Intel microcode deployed by the previous hotfixes and do not provide new microcode. Customers are strongly advised to follow their hardware providers' recommendations on installing new firmware.

Customers who have previously disabled loading of microcode by XenServer may consult CTX231724 (https://support.citrix.com/article/CTX231724) for guidance on how to re-enable that functionality.

This hotfix provides mitigations for certain recently disclosed vulnerabilities in the speculative execution functionality of multiple vendors' CPUs: 

• CVE-2017-5753, also known as ‘Variant 1: bounds check bypass’
• CVE-2017-5715, also known as ‘Variant 2: branch target injection’
• CVE-2017-5754, also known as ‘Variant 3: rogue data cache load’ 

For Variant 1, Citrix is not currently aware of any exploit vectors in Citrix XenServer.

For Variant 2, an attacker running code in a guest VM may be able to read in-memory data from other VMs on the same host. This is independent of the CPU vendor.

For Variant 3, an attacker running code in a 64 bit PV guest VM running on an Intel CPU may be able to read in-memory data from other VMs on the same host.

As these are issues in the underlying hardware, all versions of Citrix XenServer are affected. 

In addition to the mitigations for these CPU speculative execution issues, this hotfix also addresses a number of vulnerabilities that have been identified in Citrix XenServer:

• CVE-2017-17566 - x86 PV guests may gain access to internally used pages
• CVE-2017-17563 - broken x86 shadow mode refcount overflow check
• CVE-2017-17564 - improper x86 shadow mode refcount error handling
• CVE-2017-17565 - improper bug check in x86 log-dirty handling

Collectively, these four issues could allow a malicious guest administrator to crash the host.

The CPU speculative execution mitigations require system firmware/BIOS upgrades to be applied before becoming fully effective. Citrix strongly recommends that customers contact their hardware vendors for further information on these firmware upgrades.

As these issues are in optimisation features of the underlying physical CPU, mitigating them will necessarily cause a reduction of CPU performance. This performance impact will depend on a number of factors, including workload and CPU model. Customers are recommended to monitor their system loads after installing these hotfixes.

After applying the relevant firmware/BIOS upgrades and XenServer hotfixes, guest VMs will need to be fully shut down and started at least once after the application of relevant guest operating system updates. This will allow any corresponding security updates for the guest operating system to become fully effective.

Citrix has released hotfixes that contain mitigations for Variant 2. These hotfixes can be found on the Citrix website at the following locations:

Citrix XenServer 7.3: CTX231721 – https://support.citrix.com/article/ctx231721

Citrix XenServer 7.2: CTX231720 – https://support.citrix.com/article/ctx231720

Citrix XenServer 7.1 LTSR CU1: CTX231719 – https://support.citrix.com/article/ctx231719

Citrix XenServer 7.0: CTX230787 – https://support.citrix.com/article/ctx230787

Note that these updates are not Livepatchable. Citrix is aware of a potential remaining issue for Variant 2 when using 32-bit PV guests and is actively working on an update for this issue but strongly recommends that customers that have deployed untrusted 32-bit PV guests consider transitioning to HVM-based guests.

Citrix has released a subsequent security bulletin that includes mitigations for Variant 3.  This bulletin can be found on the Citrix website at https://support.citrix.com/article/CTX234679.

Addressing a hardware vulnerability by using a software update can present significant challenges, and the 6.0.2 Common Criteria edition, 6.2 SP1, and 6.5 SP1 versions of XenServer require extensive architectural changes to do so. Citrix is therefore not making hotfixes for these versions available to customers, and will continue to work with hardware vendors on other mitigation strategies. Customers on the 6.2 SP1 and 6.5 SP1 versions are strongly recommended to upgrade to a more recent version. Customers on the 6.0.2 Common Criteria version are strongly recommended to consult their security advisors.