Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1714.2
Citrix Hypervisor Security Update
17 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix Hypervisor
Publisher: Citrix
Operating System: Citrix XenServer
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11091 CVE-2018-12130 CVE-2018-12127
CVE-2018-12126
Reference: ASB-2019.0138
ESB-2019.1708
ESB-2019.1706
ESB-2019.1705
Original Bulletin:
https://support.citrix.com/article/CTX251995
Revision History: May 17 2019: Added additional hotfixes
May 15 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Hypervisor Security Update
Reference: CTX251995
Category : High
Created : 14 May 2019
Modified : 16 May 2019
Applicable Products
o XenServer 7.6
o XenServer 7.1 LTSR Cumulative Update 2
o XenServer 7.0
o Citrix Hypervisor 8.0
Description of Problem
A number of security issues have been identified in certain CPU hardware that
may allow unprivileged code running on a CPU core to infer the value of memory
data belonging to other processes, virtual machines or the hypervisor that are,
or have recently been, running on the same CPU core.
These issues have the following identifiers:
o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling
o CVE-2018-12127: Microarchitectural Load Port Data Sampling
o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling
o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory
Although these are not vulnerabilities in the Citrix Hypervisor (formerly
Citrix XenServer) product, this bulletin and associated hotfixes provides
assistance in mitigating these CPU issues.
Mitigating Factors
Customers with AMD CPUs are believed to be unaffected by these issues.
Some Intel CPUs are believed to be unaffected by these issues. A list of
affected Intel CPUs is expected to be made available at https://www.intel.com/
content/www/us/en/security-center/advisory/intel-sa-00233.html
Identification of the specific CPU(s) present on a Citrix Hypervisor machine
may be obtained by typing the command
grep "model name" /proc/cpuinfo
in the Dom0 console.
What Customers Should Do
Full mitigation of these issues for systems with vulnerable CPUs requires all
of:
1. Updates to Citrix Hypervisor
2. Updates to the CPU microcode
3. Disabling CPU hyper-threading (also known as simultaneous multi-threading)
In addition, updates to guest operating systems may be required to protect
guest VMs from code running within that same VM. Guest VMs will need to be
stopped and started (rather than rebooted) to fully mitigate these issues
within the guest VM. Customers are advised to follow their operating system
provider's recommendations. Likewise, updates to the host system firmware
("BIOS updates") may be required and Citrix recommends that you follow the
guidance of your hardware vendor for any updates that they may provide.
Updates to Citrix Hypervisor
Citrix has released hotfixes that contain mitigations for these CPU issues.
These hotfixes can be found on the Citrix website at the following locations:
Citrix Hypervisor 8.0: CTX250041 - https://support.citrix.com/article/CTX250041
Citrix XenServer 7.6: CTX250040 - https://support.citrix.com/article/CTX250040
Citrix XenServer 7.1 LTSR CU2: CTX250039 - https://support.citrix.com/article/
CTX250039
Citrix XenServer 7.0: CTX250038 - https://support.citrix.com/article/CTX250038
Updates to the CPU microcode
The hotfixes released with this bulletin contain microcode for all supported
CPU models for which Intel has presently made updates available. This microcode
will be automatically applied each time the system boots. Any further microcode
updates may be installed by means of system firmware updates ("BIOS updates")
and Citrix strongly recommends that you follow the guidance of your hardware
vendor for any updates that they may provide.
CPUs that are vulnerable to these issues, and for which the CPU manufacturer
has not provided microcode updates, will not have full mitigation of these
issues.
Once the hotfix has been applied, customers with vulnerable CPUs can determine
if the microcode required to mitigate these issues has been loaded into the CPU
by typing the command
xl dmesg | grep "Hardware features:"
in the Dom0 console shortly after the host has rebooted to apply the hotfix. If
the output includes the text MD_CLEAR, updated microcode is present.
Disabling CPU hyper-threading
Mitigation of these issues requires disabling hyper-threading on vulnerable
CPUs. Customers should evaluate their workload and determine if the mitigation
of disabling hyper-threading is required in their environment, and to
understand the performance impact of this mitigation. Citrix recommends
disabling hyper-threading in deployments with untrusted workloads. The
following document provides the steps to disable hyper-threading via the Xen
command line: https://support.citrix.com/article/CTX237190
Note that disabling hyper-threading will result in the number of available
pCPUs being reduced and is likely to adversely impact performance. The
following document covers additional issues that may be encountered in
environments where customers have over-provisioned or pinned pCPUs (for example
when hyper-threads are disabled): https://support.citrix.com/article/CTX236977
Changelog
+------------+----------------------------------------------------------------+
|Date |Change |
+------------+----------------------------------------------------------------+
|14th May |Initial publication |
|2019 | |
+------------+----------------------------------------------------------------+
|16th May |Added additional hotfixes and included guidance on restarting |
|2019 |guest VMs |
+------------+----------------------------------------------------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXN5BAGaOgq3Tt24GAQj5jBAAimuAo9RFe2KxmCRIM4H0eSG+8nR4vvKw
5evosssitRits6JrJ47p1pHD8h1EdL/5g9CJ2IP8ez6FHvUvUy3o6lYCCM8oHHVN
U9tnZxQCJBWHP3s11svZmySdY1+7M/7IOc31m44Om8wC4mA+FLxt3ntRpwh2ZP1U
XrmFV3ci/ZjyyfOLeSTx0yW0/z/ji8yu4ZuZSalsFAq7+ASDbtprYlhBTxJ6O2am
gRXAnryKX30LI3E2JvzR2VUHU4X1HynBkhrNmG20enG61nCQ929gmDvnL1TtxVkm
kaPMpTqZVaY4ql74oyHgc46FYdR3BniUK06guBivDarrxsUe+6RAinryUIeztGkP
iNsc05+Q/QN8zYEW81ERY4sH7EMqFN7dDLek/VAhf/K54jRhhc8ox2wi2BiUquP9
uROV+RffgY1DyuQbWO8EQWb04jBPOkTTxXI59sYtXGYU4KnPJy3GjQbZDyudD4Ef
tY226s7TM5TVbrMCI0M8t6jZ2c/FM4m+caJR1BL5AGnohDC0/IdNEnz7e3E4u6H9
EIVwdP+Bo1efzNIsUkD1dGnOwqy0tVtxqSFI5Qg33W4szu0j9b5Hb2R82o/B6NUw
WR+eJ1JaO4VRAyom311LtsdW/FbDKTZiB8IREJLpJocZHNyHG1sWY0q3K8jSgouM
2nuyYw1scQw=
=MXcb
-----END PGP SIGNATURE-----