Citrix XenServer Multiple Security Updates

A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.1.

The following vulnerabilities have been addressed:

  • CVE-2013-1918: Several long latency operations are not pre-emptible
  • CVE-2013-1919: Several access permissions with IRQs for unprivileged guests
  • CVE-2013-1952: VT-d interrupt remapping source validation flaw for bridges
  • CVE-2013-1964: grant table hypercall acquire/release imbalance

Mitigating Factors

Customers on versions of XenServer prior to XenServer 6.0 are only affected by CVE-2013-1918 which is a host denial of service attack. Continue reading “Citrix XenServer Multiple Security Updates”

Citrix XenServer Security Update (for all versions)

A security vulnerability has been identified in Citrix XenServer. This vulnerability allows an unprivileged user of a guest VM to crash the host.

The vulnerability is identified as:

• CVE-2013-1917: Xen PV DoS vulnerability with SYSENTER

Mitigating Factors

The vulnerability can only be exploited from PV guest VMs running on Intel CPUs.

Hotfixes

Hotfixes have been released to address this issue. Citrix recommends that affected customers install the relevant hotfix, which can be downloaded from the following locations:

Citrix XenServer 6.1: CTX137487 – Hotfix XS61E019 – For XenServer 6.1.0

Citrix XenServer 6.0.2: CTX137486 – Hotfix XS602E022 – For XenServer 6.0.2

Citrix XenServer 6.0.0: CTX137484 – Hotfix XS60E028 – For XenServer 6.0

Citrix XenServer 5.6 Service Pack 2: CTX137483 – Hotfix XS56ESP2027 – For XenServer 5.6 Service Pack 2

Citrix XenServer 5.6 Feature Pack 1: CTX137482 – Hotfix XS56EFP1017 – For XenServer 5.6 Feature Pack 1

Citrix XenServer 5.6: CTX137481 – Hotfix XS56E018 – For XenServer 5.6

Citrix XenServer 5.5 Update 2: CTX137480 – Hotfix XS55EU2016 – For XenServer 5.5 Update 2

Citrix XenServer 5.0 Update 3: CTX137479 – Hotfix XS50EU3016 – For XenServer 5.0 Update 3

Read the original KB article here.