Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                     Citrix Hypervisor Security Update
                                17 May 2019


        AusCERT Security Bulletin Summary

Product:           Citrix Hypervisor
Publisher:         Citrix
Operating System:  Citrix XenServer
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11091 CVE-2018-12130 CVE-2018-12127

Reference:         ASB-2019.0138

Original Bulletin: 

Revision History:  May 17 2019: Added additional hotfixes
                   May 15 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix Hypervisor Security Update

Reference: CTX251995

Category : High

Created  : 14 May 2019

Modified : 16 May 2019

Applicable Products

  o XenServer 7.6
  o XenServer 7.1 LTSR Cumulative Update 2
  o XenServer 7.0
  o Citrix Hypervisor 8.0

Description of Problem

A number of security issues have been identified in certain CPU hardware that
may allow unprivileged code running on a CPU core to infer the value of memory
data belonging to other processes, virtual machines or the hypervisor that are,
or have recently been, running on the same CPU core.

These issues have the following identifiers:

o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling

o CVE-2018-12127: Microarchitectural Load Port Data Sampling

o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling

o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory

Although these are not vulnerabilities in the Citrix Hypervisor (formerly
Citrix XenServer) product, this bulletin and associated hotfixes provides
assistance in mitigating these CPU issues.

Mitigating Factors

Customers with AMD CPUs are believed to be unaffected by these issues.

Some Intel CPUs are believed to be unaffected by these issues. A list of
affected Intel CPUs is expected to be made available at https://www.intel.com/

Identification of the specific CPU(s) present on a Citrix Hypervisor machine
may be obtained by typing the command

grep "model name" /proc/cpuinfo

in the Dom0 console.

What Customers Should Do

Full mitigation of these issues for systems with vulnerable CPUs requires all

 1. Updates to Citrix Hypervisor
 2. Updates to the CPU microcode
 3. Disabling CPU hyper-threading (also known as simultaneous multi-threading)

In addition, updates to guest operating systems may be required to protect
guest VMs from code running within that same VM. Guest VMs will need to be
stopped and started (rather than rebooted) to fully mitigate these issues
within the guest VM. Customers are advised to follow their operating system
provider's recommendations. Likewise, updates to the host system firmware
("BIOS updates") may be required and Citrix recommends that you follow the
guidance of your hardware vendor for any updates that they may provide.

Updates to Citrix Hypervisor

Citrix has released hotfixes that contain mitigations for these CPU issues.
These hotfixes can be found on the Citrix website at the following locations:

Citrix Hypervisor 8.0: CTX250041 - https://support.citrix.com/article/CTX250041

Citrix XenServer 7.6: CTX250040 - https://support.citrix.com/article/CTX250040

Citrix XenServer 7.1 LTSR CU2: CTX250039 - https://support.citrix.com/article/

Citrix XenServer 7.0: CTX250038 - https://support.citrix.com/article/CTX250038

Updates to the CPU microcode

The hotfixes released with this bulletin contain microcode for all supported
CPU models for which Intel has presently made updates available. This microcode
will be automatically applied each time the system boots. Any further microcode
updates may be installed by means of system firmware updates ("BIOS updates")
and Citrix strongly recommends that you follow the guidance of your hardware
vendor for any updates that they may provide.

CPUs that are vulnerable to these issues, and for which the CPU manufacturer
has not provided microcode updates, will not have full mitigation of these

Once the hotfix has been applied, customers with vulnerable CPUs can determine
if the microcode required to mitigate these issues has been loaded into the CPU
by typing the command

xl dmesg | grep "Hardware features:"

in the Dom0 console shortly after the host has rebooted to apply the hotfix. If
the output includes the text MD_CLEAR, updated microcode is present.

Disabling CPU hyper-threading

Mitigation of these issues requires disabling hyper-threading on vulnerable
CPUs. Customers should evaluate their workload and determine if the mitigation
of disabling hyper-threading is required in their environment, and to
understand the performance impact of this mitigation. Citrix recommends
disabling hyper-threading in deployments with untrusted workloads. The
following document provides the steps to disable hyper-threading via the Xen
command line: https://support.citrix.com/article/CTX237190

Note that disabling hyper-threading will result in the number of available
pCPUs being reduced and is likely to adversely impact performance. The
following document covers additional issues that may be encountered in
environments where customers have over-provisioned or pinned pCPUs (for example
when hyper-threads are disabled): https://support.citrix.com/article/CTX236977


|Date        |Change                                                          |
|14th May    |Initial publication                                             |
|2019        |                                                                |
|16th May    |Added additional hotfixes and included guidance on restarting   |
|2019        |guest VMs                                                       |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967