Citrix Hypervisor Security Update

Several security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow:

• unprivileged code in a PV guest VM to compromise that PV guest VM
• privileged code in a guest VM to cause the host to crash or become unresponsive
• privileged code in an HVM guest VM, to which the host administrator has assigned a PCI passthrough device, to corrupt in-memory data of the host or other VMs and potentially cause the host to crash.

These issues have the following identifiers:

• CVE-2020-27670
• CVE-2020-27671
• CVE-2020-27672
• CVE-2020-27673
• CVE-2020-27674
• CVE-2020-27675

These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR.

Citrix has released hotfixes to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedule allows.  The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.2 LTSR: CTX283510 – https://support.citrix.com/article/CTX283510 and CTX283516 – https://support.citrix.com/article/CTX283516

Citrix Hypervisor 8.1: CTX283509 – https://support.citrix.com/article/CTX283509 and CTX283515 – https://support.citrix.com/article/CTX283515

Citrix XenServer 7.1 LTSR CU2: CTX283508 – https://support.citrix.com/article/CTX283508 and CTX283514 – https://support.citrix.com/article/CTX283514

Citrix XenServer 7.0: CTX283507 – https://support.citrix.com/article/CTX283507 and CTX283512 – https://support.citrix.com/article/CTX283512

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.