Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2902 Citrix Hypervisor Security Update 25 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor Operating System: Citrix XenServer Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14364 CVE-2018-17958 Reference: ESB-2019.3215 ESB-2019.3067 ESB-2019.1961 ESB-2019.1944.2 Original Bulletin: https://support.citrix.com/article/CTX280451 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX280451 Category : High Created : 24 Aug 2020 Modified : 24 Aug 2020 Applicable Products o Citrix Hypervisor o XenServer Description of Problem Two issues have been identified in Citrix Hypervisor that may, in certain configurations, allow privileged code in an HVM guest VM to execute code in the control domain, potentially compromising the host. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix Hypervisor 8.2 LTSR. These issues have the following identifiers: o CVE-2020-14364 o CVE-2018-17958 Mitigating Factors For customers who have not assigned PCI passthrough devices to untrustworthy guests (using the PCI-passthrough functionality of Citrix Hypervisor) the vulnerability is reduced to executing code within a deprivileged environment within the control domain. What Customers Should Do Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as soon as practicable. The hotfixes can be downloaded from the following locations: Citrix Hypervisor 8.2 LTSR: CTX280214 - https://support.citrix.com/article/ CTX280214 Citrix Hypervisor 8.1: CTX280213 - https://support.citrix.com/article/CTX280213 Citrix Hypervisor 8.0: CTX280212 - https://support.citrix.com/article/CTX280212 Citrix XenServer 7.1 LTSR CU2: CTX280211 - https://support.citrix.com/article/ CTX280211 Citrix XenServer 7.0: CTX280210 - https://support.citrix.com/article/CTX280210 Once the hotfix has been applied, the affected guest HVM VMs will need to be restarted or migrated to an updated host to make the remediation effective. Customers on Citrix Hypervisor 8.0 should be aware that this version will become End of Life on 31 ^ st August 2020 and that Citrix recommends that customers upgrade to a newer version. Acknowledgements Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-08-24 |Initial Publication | +--------------------------+--------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX0SaxuNLKJtyKPYoAQhLWA//eUxtgr2y6j1XD1iXfek2yxWoN4MfVZRf I8yQDoBGZXaG8kXNJf5llSArwTkAYRwboZ+Ewu3QXPtQVwfABBvtxF+IlQzIZILg VKy6rycyVZXefhuYeuwnDODnXWcB3igG8h4X6B3ySbOtKzfAO+gS6tnfHOSD17FX Yc2vtpGaN3UopMLYCd0gHseG7cZfHy4nLIf5atOa0v/GwbiNX7cVnkolOfGA3Glo uYQtFyqFG0MV/pPOvu0D5mUo3AP6S9GpZD/ndqY2CokdK2HmtX2jxP3lMdoJVFO8 6ly4zlD9e0OSSUFfPijZ1pDNoqzic0Qxib6zq0Zk1ltDTSLmrOhhgiEeLfy7Evi8 OTuM0YZZW4danSJaF6j79dVr17jbBSo7Q4KlCT/qD3lwvjccvOn5CB2ydoqqJsT/ fYEi+7N7mrKTxb79Qt1W83hcKhxGVDEvT1AWP8YKVLaKevRLTI9OPc0AUEJTszal FJDO58siCV9SsMtD0yvvMQmQYboGdMEAkQToCQCVHFKSAbroJpVm62xluxBTIOx9 Z5AKB7bkltd1JrSqBulP/3uf3Tnta9KF+yvYpdLmSgHemb8QLkN+xJyCnA839M5Y FP4nrdieY2nL1DYfhhlk3Z3pLPUV6bMSYfi0HGtSRiH92SnN8797KOdfn88YYERQ KWHj8VbSE8g= =buyH -----END PGP SIGNATURE-----