Description of Problem
Two issues have been identified in Citrix Hypervisor that may, if exploited, allow privileged code in an HVM guest VM to compromise or crash the host. These issues only apply in specific configurations; furthermore, Citrix believes that there would be significant difficulty in successfully executing these specific attacks.
CVE-2020-15565: insufficient cache write-back under VT-d
This issue may allow the administrator of an HVM guest VM to compromise the host. This issue is only applicable to hosts where the host administrator has explicitly assigned a PCI-passthrough device to the attacking VM. Hosts with AMD CPUs are not affected. Hosts where Hardware Assisted Paging (HAP) has been disabled for the attacking VM, or where the host CPU does not support HAP, are not affected.
CVE-2020-15563: inverted code paths in x86 dirty VRAM tracking
This issue may allow the administrator of an HVM guest VM to crash the host. This issue is only applicable to hosts that do not have HAP (or deployments where the host administrator has explicitly enabled shadow paging for the attacking VM). Furthermore, the console of the attacking VM must be being actively consumed e.g. by monitoring it from XenCenter.
CVE-2020-15565 affects all supported releases of Citrix Hypervisor, up to and including Citrix hypervisor 8.2 LTSR.
CVE-2020-15563 affects Citrix Hypervisor 8.2 LTSR, Citrix Hypervisor 8.1 and Citrix Hypervisor 8.0.
Mitigating Factors
See the per-issue descriptions above. Note in particular that customers who have not assigned PCI passthrough devices to untrustworthy guests and are using hosts with HAP support and have not explicitly enabled shadow paging are not at risk from these issues. Most recent CPUs have HAP support (known as EPT on Intel systems).
What Customers Should Do
Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as soon as their patching schedule permits. The hotfixes can be downloaded from the following locations:
Citrix Hypervisor 8.2 LTSR: CTX277444 – https://support.citrix.com/article/CTX277444
Citrix Hypervisor 8.1: CTX277443 – https://support.citrix.com/article/CTX277443
Citrix Hypervisor 8.0: CTX277442 – https://support.citrix.com/article/CTX277442
Citrix XenServer 7.1 LTSR CU2: CTX277441 – https://support.citrix.com/article/CTX277441
Citrix XenServer 7.0: CTX277440 – https://support.citrix.com/article/CTX277440
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Changelog
| Date | Change |
| 2020-07-08 | Initial Publication |