Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                     Citrix Hypervisor Security Update
                             14 November 2019


        AusCERT Security Bulletin Summary

Product:           Citrix Hypervisor
Publisher:         Citrix
Operating System:  Citrix XenServer
Impact/Access:     Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11135 CVE-2018-12207 

Reference:         ASB-2019.0330

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix Hypervisor Security Update

Reference: CTX263684

Category : High

Created  : 12 Nov 2019

Modified : 12 Nov 2019

Applicable Products

  o Citrix Hypervisor 8.0
  o XenServer 7.6
  o XenServer 7.1 LTSR Cumulative Update 2
  o XenServer 7.0

Description of Problem

A security issue has been identified in certain CPU hardware that may allow
unprivileged code running on a CPU core to infer the value of memory data
belonging to other processes, virtual machines or the hypervisor that are, or
have recently been, running on the same CPU core.

This issue has the following identifier:

o CVE-2019-11135: TSX Asynchronous Abort

A further security issue has been identified in certain CPU hardware that may
allow privileged code running in an HVM guest VM to cause the host to crash.

This issue has the following identifier:

o CVE-2018-12207: Machine Check Error on Page Size Change

Although these are not vulnerabilities in the Citrix Hypervisor (formerly
Citrix XenServer) product, this bulletin and associated hotfixes provide
assistance in mitigating these CPU issues. These hotfixes include updated CPU
microcode that address these and other CPU issues and may, depending on
workload, have a noticeable performance impact.

In addition to these CPU issues, Citrix is aware of certain issues involving
Intel 700 Series network interface cards (NICs) that may require vendor
firmware updates. Although these are not vulnerabilities in Citrix Hypervisor,
Citrix is providing updated drivers for both the Long-Term Support Release
(LTSR) and the latest Current Release (CR) to support new firmware.

These issues affect all currently supported versions of Citrix Hypervisor up to
and including Citrix Hypervisor 8.0.

Mitigating Factors

Customers running only AMD CPUs and with no Intel 700 Series NICs are
unaffected by these issues.

CVE-2019-11135 only affects certain Intel CPUs; Citrix expects that details of
which models are affected by these issues will be available at https://

What Customers Should Do

Citrix recommends that customers take four actions to mitigate these issues:

i) apply firmware updates; ii) apply hotfixes; iii) apply driver updates and
iv) consider enabling/disabling CVE-2018-12207 protection. Note that these
steps need not be performed in this order and customers wishing to minimise
reboot cycles may wish to consider enabling CVE-2018-12207 and applying the
hotfix and driver updates and then updating firmware during the reboot cycle
for the hotfix/driver updates.

Customers should also be alert to potential workload-dependent performance
impacts from updated microcode.

Applying firmware

Citrix recommends that customers follow the guidance of their hardware vendor
with respect to obtaining and applying updated firmware for their hardware,
both for the base system firmware ("BIOS") and for any Intel 700 Series NICs.

Applying hotfixes

Hotfixes have been released to mitigate these issues. Citrix recommends that
affected customers install these hotfixes as their patching schedules allow.
The hotfixes can be downloaded from the following locations:

Citrix Hypervisor 8.0: CTX263663 - https://support.citrix.com/article/CTX263663

Citrix XenServer 7.6: CTX263662 - https://support.citrix.com/article/CTX263662

Citrix XenServer 7.1 LTSR CU2: CTX263661 - https://support.citrix.com/article/

Citrix XenServer 7.0: CTX263660 - https://support.citrix.com/article/CTX263660

Apply driver updates

Citrix has released i40e driver update disks for Intel 700 Series NICs for the
LTSR and latest CR release. These may be found at:

Citrix Hypervisor 8.0: CTX263699 - https://support.citrix.com/article/CTX263699

Citrix XenServer 7.1 LTSR CU2: CTX263698 - https://support.citrix.com/article/

Enabling/disabling CVE-2018-12207 protection

This issue may allow privileged code running in an HVM guest VM to crash the
host. Mitigating this hardware issue in software has a further performance
impact; the size of this further impact is heavily workload dependent but is
expected to be noticeable. Citrix therefore recommends that customers carefully
consider the relative impacts of not mitigating this issue against the
performance impact and enable or disable the CVE-2018-12207 mitigations by
following the instructions in CTX263718 - https://support.citrix.com/article/

Note that CVE-2018-12207 will not be mitigated unless this protection has been
explicitly enabled.


|Date                                 |Change                                 |
|12th November 2019                   |Initial Publication                    |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967