Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4301 Citrix Hypervisor Security Update 14 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor Publisher: Citrix Operating System: Citrix XenServer Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11135 CVE-2018-12207 Reference: ASB-2019.0330 ASB-2019.0322 ASB-2019.0313 Original Bulletin: https://support.citrix.com/article/CTX263684 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX263684 Category : High Created : 12 Nov 2019 Modified : 12 Nov 2019 Applicable Products o Citrix Hypervisor 8.0 o XenServer 7.6 o XenServer 7.1 LTSR Cumulative Update 2 o XenServer 7.0 Description of Problem A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. This issue has the following identifier: o CVE-2019-11135: TSX Asynchronous Abort A further security issue has been identified in certain CPU hardware that may allow privileged code running in an HVM guest VM to cause the host to crash. This issue has the following identifier: o CVE-2018-12207: Machine Check Error on Page Size Change Although these are not vulnerabilities in the Citrix Hypervisor (formerly Citrix XenServer) product, this bulletin and associated hotfixes provide assistance in mitigating these CPU issues. These hotfixes include updated CPU microcode that address these and other CPU issues and may, depending on workload, have a noticeable performance impact. In addition to these CPU issues, Citrix is aware of certain issues involving Intel 700 Series network interface cards (NICs) that may require vendor firmware updates. Although these are not vulnerabilities in Citrix Hypervisor, Citrix is providing updated drivers for both the Long-Term Support Release (LTSR) and the latest Current Release (CR) to support new firmware. These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0. Mitigating Factors Customers running only AMD CPUs and with no Intel 700 Series NICs are unaffected by these issues. CVE-2019-11135 only affects certain Intel CPUs; Citrix expects that details of which models are affected by these issues will be available at https:// blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu What Customers Should Do Citrix recommends that customers take four actions to mitigate these issues: i) apply firmware updates; ii) apply hotfixes; iii) apply driver updates and iv) consider enabling/disabling CVE-2018-12207 protection. Note that these steps need not be performed in this order and customers wishing to minimise reboot cycles may wish to consider enabling CVE-2018-12207 and applying the hotfix and driver updates and then updating firmware during the reboot cycle for the hotfix/driver updates. Customers should also be alert to potential workload-dependent performance impacts from updated microcode. Applying firmware Citrix recommends that customers follow the guidance of their hardware vendor with respect to obtaining and applying updated firmware for their hardware, both for the base system firmware ("BIOS") and for any Intel 700 Series NICs. Applying hotfixes Hotfixes have been released to mitigate these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations: Citrix Hypervisor 8.0: CTX263663 - https://support.citrix.com/article/CTX263663 Citrix XenServer 7.6: CTX263662 - https://support.citrix.com/article/CTX263662 Citrix XenServer 7.1 LTSR CU2: CTX263661 - https://support.citrix.com/article/ CTX263661 Citrix XenServer 7.0: CTX263660 - https://support.citrix.com/article/CTX263660 Apply driver updates Citrix has released i40e driver update disks for Intel 700 Series NICs for the LTSR and latest CR release. These may be found at: Citrix Hypervisor 8.0: CTX263699 - https://support.citrix.com/article/CTX263699 Citrix XenServer 7.1 LTSR CU2: CTX263698 - https://support.citrix.com/article/ CTX263698 Enabling/disabling CVE-2018-12207 protection This issue may allow privileged code running in an HVM guest VM to crash the host. Mitigating this hardware issue in software has a further performance impact; the size of this further impact is heavily workload dependent but is expected to be noticeable. Citrix therefore recommends that customers carefully consider the relative impacts of not mitigating this issue against the performance impact and enable or disable the CVE-2018-12207 mitigations by following the instructions in CTX263718 - https://support.citrix.com/article/ CTX263718 Note that CVE-2018-12207 will not be mitigated unless this protection has been explicitly enabled. Changelog +-------------------------------------+---------------------------------------+ |Date |Change | +-------------------------------------+---------------------------------------+ |12th November 2019 |Initial Publication | +-------------------------------------+---------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXc0Am2aOgq3Tt24GAQhAbA/+P5dLvI5M0RqDMQ/JrD8VEBmjuYRGHQ6M +mUTGWR8t7ANiEq66BUHZ8izWxPV9FSs0/tvcU9UZuviig8B/xJYLbN+tG3CM+tt Lg3uf1Hv0zlECAiT40loIv3eSVCbXn4SjSSbfga7D0AIo48elnfgLbGs/Fnnq7e8 9xQ4OfqvlhoFyhn1HVG5Q4PbfPeWlKxbOQ0Ylc0G2LdsC5FY9iTg9lCBxodsMe66 Hf+NS/qwKOvV8TDxFrHoeX3ppjTE0eKKuVOuM7ACpk6Omb4fqIGcLru/If70NucX UDe/20p6JxTatW2bH00rrGW13rafmOULYHUinmr3a3YUtlce1hI0A62Cq/Vv9HpE pAQHwsQg1vV55Xw9dkiAqRyxjAl2o26FXFfbN2XHctDBIs42MBDJw9L9VEWc3+tN paxV065MIHwROfVQKAeqvIOxl7vOZ+ukUo0c/E1M2XC/Q2AzbbIfyHEbCie3KWsl J+DBIYfw3fOkG/O0XVGEFBNdyuDnzwTNSEBErIA1lJdVj7MQ9rBPZ35TUlmgpVhV bUYyNWa2VZTAWzWVg6WWlBxHhP0kHw1hjI5RYTJqoSyaR+IpF/iQC8bhG0/S4VK6 Uw8x0TXkeDqzuENI+rOgynLuFL097ggK35V+S4116B82gxQk3aaeVBZxwfD4t8yw apUr/qUs+kk= =sTfU -----END PGP SIGNATURE-----