Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4040 Citrix Hypervisor Security Update 13 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor XenServer Publisher: Citrix Operating System: Virtualisation Citrix XenServer Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-8698 CVE-2020-8696 Reference: ESB-2020.4033 ESB-2020.4017 ESB-2020.4013 ESB-2020.3959 Original Bulletin: https://support.citrix.com/article/CTX285937 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX285937 Category : Medium Created : 12 Nov 2020 Modified : 12 Nov 2020 Applicable Products o Citrix Hypervisor o XenServer Description of Problem A security issue has been identified in Citrix Hypervisor that may allow privileged code running in a guest VM to infer details of some computations occurring in other VMs on the host. This may, for example, be used to infer a secret encryption key used by a web server in a different VM. A CVE identifier for this issue is not yet available. +---------------------+---------------------+---------------------+---------------------+ |CVE ID |Description |Vulnerability Type |Pre-conditions | +---------------------+---------------------+---------------------+---------------------+ |TBA |Side-channel attack |CWE-1300 |Malicious code | | |through exposed | |executing on the | | |power-monitoring | |host. | | |interface | | | +---------------------+---------------------+---------------------+---------------------+ This issue affects all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.2 LTSR. In addition, Citrix is aware of two recently disclosed issues affecting Intel CPUs which are addressed by updated microcode from Intel. Although these are issues in the underlying hardware platform, Citrix has included this updated microcode in the hotfixes associated with this bulletin to assist customers who have not obtained updated firmware from their hardware vendor. These issues have the following identifiers: o CVE-2020-8696 o CVE-2020-8698 These CPU issues may allow code running in a VM to obtain data being used in computations within other VMs or other processes within the same VM. Customers should note that it is necessary to reboot the host for the microcode update that protects against these Intel CPU issues to take effect. Customers who are using the Live Patching feature of Citrix Hypervisor and who do not need the microcode update (either because they are using a CPU from a different vendor or because they have already updated their host BIOS/UEFI firmware) do not need to reboot the host after applying the update. What Customers Should Do Citrix has released hotfixes to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule allows. The hotfixes can be downloaded from the following locations: Citrix Hypervisor 8.2 LTSR: CTX285172 - https://support.citrix.com/article/ CTX285172 Citrix Hypervisor 8.1: CTX285171 - https://support.citrix.com/article/CTX285171 Citrix XenServer 7.1 LTSR CU2: CTX285170 - https://support.citrix.com/article/ CTX285170 Citrix XenServer 7.0: CTX285169 - https://support.citrix.com/article/CTX285169 Customers who are using the Live Patching feature of Citrix Hypervisor should consider rebooting the host machine if they are in need of the microcode update described above. Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-11-12 |Initial Publication | +--------------------------+--------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX63P7+NLKJtyKPYoAQg8hQ//cwdhBPVogXivM2A8PybSxsjacVvHuMJZ QKuT20++FChgiptOwKsytv6qQkijZtDQ9NAGJ9Ot1ZKj+37a3BtwM4Z4hmrj51C/ R4LJ9T8wu3N2PSqW2ZUZI87A5twKC02eJDs0854bxtQBpVJSQkQ1laTywlDZh+4J j/7ocA2KS1RPKJaXT8vZgpxKwn+XH7cwS8d3WsS0R3P/pJKDGLVc/XbnUhD0txx/ 26gL5LkegJx37iDQa34fhqUdQIFSSf02t5+BBXd5HuFTJ4RGPl9DnijlAqkXWl+T nJcgKGq5swAVLFpYUjREGpcTABuXjtjuVmchUNkBUTHHj2Ynt/hJ5rPbGlNAQXpF bp3It47BqiJAC32yEPHo5NFx86MbK4V+pQSq63prBSBa8wWVtaMSQF3TkxggASbY DtP7WLjJEzp7Qk3OjXnd9NiXnWZSRG1nSWduUNT9CD9MjR6p3mXlnT689lO2N4LZ mtb+lvBLy5qr8a8wFnpsDW/jD1BdHwPBuWStyKZZThVRn/ifFwJ0wFuuAXsipauy /p1mEx8RGv8clRtT1GIjx3vOfg0+bf4YvNTx8hYSnpI7qV1yFmJKzBuQ8dGkN9Dr CUhgHorB5OmSa33wCkkrkw24ZdrcPci0g7IGrkz6i57TWtkHPB+Qqt4XMEDmokQp ma5gueFt5RM= =h7vr -----END PGP SIGNATURE-----