Description of Problem
A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running in a PV guest VM to compromise the host and malicious privileged code running in an HVM guest VM to crash the host.
These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.4.
The following vulnerabilities have been addressed:
CVE-2017-5754: (High) Rogue data cache load, memory access permission check performed after kernel memory read
CVE-2018-10982: (Medium) x86: vHPET interrupt injection errors
CVE-2018-8897: (High) x86: mishandling of debug exceptions
Mitigating Factors
Customers with only HVM guest VMs with no untrustworthy privileged code running have mitigated these issues. Note that all Windows VMs are HVM guest VMs.
What Customers Should Do
Hotfixes have been released to address these issues. Citrix strongly recommends that affected customers install these hotfixes as soon as possible. The hotfixes can be downloaded from the following locations:
Citrix XenServer 7.4: CTX234440 – https://support.citrix.com/article/CTX234440
Citrix XenServer 7.3: CTX234439 – https://support.citrix.com/article/CTX234439
Citrix XenServer 7.1 LTSR CU1: CTX234437 – https://support.citrix.com/article/CTX234437
Citrix XenServer 7.0: CTX234436 – https://support.citrix.com/article/CTX234436
Citrix XenServer 6.5 SP1: CTX234435 – https://support.citrix.com/article/CTX234435
Citrix XenServer 6.2 SP1: CTX234434 – https://support.citrix.com/article/CTX234434
Citrix XenServer 6.0.2 Common Criteria: CTX234433 – https://support.citrix.com/article/CTX234433
In addition, following the publication of CVE-2017-5754, Citrix committed to provide mitigations for this issue for the Citrix XenServer 7.2 release which is now End of Life. A hotfix for this release is available at Citrix XenServer 7.2: CTX234438 – https://support.citrix.com/article/CTX234438
Note that, in line with previous statements, the hotfixes for the 6.x versions of Citrix XenServer do not include mitigations for CVE-2017-5754.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
8th May 2018 | Initial Publication |
11th May 2018 | Updated missing CVE identifier CVE-2018-10892 |