Description of Problem
Several security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow:
- unprivileged code in a PV guest VM to compromise that PV guest VM
- privileged code in a guest VM to cause the host to crash or become unresponsive
- privileged code in an HVM guest VM, to which the host administrator has assigned a PCI passthrough device, to corrupt in-memory data of the host or other VMs and potentially cause the host to crash.
These issues have the following identifiers:
- CVE-2020-27670
- CVE-2020-27671
- CVE-2020-27672
- CVE-2020-27673
- CVE-2020-27674
- CVE-2020-27675
These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR.
What Customers Should Do
Citrix has released hotfixes to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedule allows. The hotfixes can be downloaded from the following locations:
Citrix Hypervisor 8.2 LTSR: CTX283510 – https://support.citrix.com/article/CTX283510 and CTX283516 – https://support.citrix.com/article/CTX283516
Citrix Hypervisor 8.1: CTX283509 – https://support.citrix.com/article/CTX283509 and CTX283515 – https://support.citrix.com/article/CTX283515
Citrix XenServer 7.1 LTSR CU2: CTX283508 – https://support.citrix.com/article/CTX283508 and CTX283514 – https://support.citrix.com/article/CTX283514
Citrix XenServer 7.0: CTX283507 – https://support.citrix.com/article/CTX283507 and CTX283512 – https://support.citrix.com/article/CTX283512
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Changelog
Date | Change |
2020-10-27 | Initial Publication |
2020-10-27 | Corrected links to hotfixes |