Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1714.2 Citrix Hypervisor Security Update 17 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor Publisher: Citrix Operating System: Citrix XenServer Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11091 CVE-2018-12130 CVE-2018-12127 CVE-2018-12126 Reference: ASB-2019.0138 ESB-2019.1708 ESB-2019.1706 ESB-2019.1705 Original Bulletin: https://support.citrix.com/article/CTX251995 Revision History: May 17 2019: Added additional hotfixes May 15 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX251995 Category : High Created : 14 May 2019 Modified : 16 May 2019 Applicable Products o XenServer 7.6 o XenServer 7.1 LTSR Cumulative Update 2 o XenServer 7.0 o Citrix Hypervisor 8.0 Description of Problem A number of security issues have been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. These issues have the following identifiers: o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling o CVE-2018-12127: Microarchitectural Load Port Data Sampling o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory Although these are not vulnerabilities in the Citrix Hypervisor (formerly Citrix XenServer) product, this bulletin and associated hotfixes provides assistance in mitigating these CPU issues. Mitigating Factors Customers with AMD CPUs are believed to be unaffected by these issues. Some Intel CPUs are believed to be unaffected by these issues. A list of affected Intel CPUs is expected to be made available at https://www.intel.com/ content/www/us/en/security-center/advisory/intel-sa-00233.html Identification of the specific CPU(s) present on a Citrix Hypervisor machine may be obtained by typing the command grep "model name" /proc/cpuinfo in the Dom0 console. What Customers Should Do Full mitigation of these issues for systems with vulnerable CPUs requires all of: 1. Updates to Citrix Hypervisor 2. Updates to the CPU microcode 3. Disabling CPU hyper-threading (also known as simultaneous multi-threading) In addition, updates to guest operating systems may be required to protect guest VMs from code running within that same VM. Guest VMs will need to be stopped and started (rather than rebooted) to fully mitigate these issues within the guest VM. Customers are advised to follow their operating system provider's recommendations. Likewise, updates to the host system firmware ("BIOS updates") may be required and Citrix recommends that you follow the guidance of your hardware vendor for any updates that they may provide. Updates to Citrix Hypervisor Citrix has released hotfixes that contain mitigations for these CPU issues. These hotfixes can be found on the Citrix website at the following locations: Citrix Hypervisor 8.0: CTX250041 - https://support.citrix.com/article/CTX250041 Citrix XenServer 7.6: CTX250040 - https://support.citrix.com/article/CTX250040 Citrix XenServer 7.1 LTSR CU2: CTX250039 - https://support.citrix.com/article/ CTX250039 Citrix XenServer 7.0: CTX250038 - https://support.citrix.com/article/CTX250038 Updates to the CPU microcode The hotfixes released with this bulletin contain microcode for all supported CPU models for which Intel has presently made updates available. This microcode will be automatically applied each time the system boots. Any further microcode updates may be installed by means of system firmware updates ("BIOS updates") and Citrix strongly recommends that you follow the guidance of your hardware vendor for any updates that they may provide. CPUs that are vulnerable to these issues, and for which the CPU manufacturer has not provided microcode updates, will not have full mitigation of these issues. Once the hotfix has been applied, customers with vulnerable CPUs can determine if the microcode required to mitigate these issues has been loaded into the CPU by typing the command xl dmesg | grep "Hardware features:" in the Dom0 console shortly after the host has rebooted to apply the hotfix. If the output includes the text MD_CLEAR, updated microcode is present. Disabling CPU hyper-threading Mitigation of these issues requires disabling hyper-threading on vulnerable CPUs. Customers should evaluate their workload and determine if the mitigation of disabling hyper-threading is required in their environment, and to understand the performance impact of this mitigation. Citrix recommends disabling hyper-threading in deployments with untrusted workloads. The following document provides the steps to disable hyper-threading via the Xen command line: https://support.citrix.com/article/CTX237190 Note that disabling hyper-threading will result in the number of available pCPUs being reduced and is likely to adversely impact performance. The following document covers additional issues that may be encountered in environments where customers have over-provisioned or pinned pCPUs (for example when hyper-threads are disabled): https://support.citrix.com/article/CTX236977 Changelog +------------+----------------------------------------------------------------+ |Date |Change | +------------+----------------------------------------------------------------+ |14th May |Initial publication | |2019 | | +------------+----------------------------------------------------------------+ |16th May |Added additional hotfixes and included guidance on restarting | |2019 |guest VMs | +------------+----------------------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXN5BAGaOgq3Tt24GAQj5jBAAimuAo9RFe2KxmCRIM4H0eSG+8nR4vvKw 5evosssitRits6JrJ47p1pHD8h1EdL/5g9CJ2IP8ez6FHvUvUy3o6lYCCM8oHHVN U9tnZxQCJBWHP3s11svZmySdY1+7M/7IOc31m44Om8wC4mA+FLxt3ntRpwh2ZP1U XrmFV3ci/ZjyyfOLeSTx0yW0/z/ji8yu4ZuZSalsFAq7+ASDbtprYlhBTxJ6O2am gRXAnryKX30LI3E2JvzR2VUHU4X1HynBkhrNmG20enG61nCQ929gmDvnL1TtxVkm kaPMpTqZVaY4ql74oyHgc46FYdR3BniUK06guBivDarrxsUe+6RAinryUIeztGkP iNsc05+Q/QN8zYEW81ERY4sH7EMqFN7dDLek/VAhf/K54jRhhc8ox2wi2BiUquP9 uROV+RffgY1DyuQbWO8EQWb04jBPOkTTxXI59sYtXGYU4KnPJy3GjQbZDyudD4Ef tY226s7TM5TVbrMCI0M8t6jZ2c/FM4m+caJR1BL5AGnohDC0/IdNEnz7e3E4u6H9 EIVwdP+Bo1efzNIsUkD1dGnOwqy0tVtxqSFI5Qg33W4szu0j9b5Hb2R82o/B6NUw WR+eJ1JaO4VRAyom311LtsdW/FbDKTZiB8IREJLpJocZHNyHG1sWY0q3K8jSgouM 2nuyYw1scQw= =MXcb -----END PGP SIGNATURE-----