XCP-ng Security Bulletin

XenServer based, Community Powered.

Latest news regarding security on XCP-ng! For this first bulletin, it’s all about Foreshadow vulnerability, but also a specific XAPI problem. Take time to read it or at least stay up-to-date!

XSA-273

Also known as “L1 Terminal Fault speculative side channel” or even shorter: Foreshadow.

The most interesting details are available here.

In short, with Intel CPUs and if you don’t have a control on each of your VM (ie: you are selling VPS services), this can cause a major confidentiality risk. Indeed, people in those VMs will be able to read data in RAM, outside their own VM.

XSA-271

This is a XAPI HTTP security issue, leading to potential acccess of the whole root access for the dom0 (and all its VMs).

Note: fresh XCP-ng installs aren’t impacted because it’s caused by a dedicated folder used with Citrix hotfixes.

All the vulnerability details are available here.

Solution: just update

Please keep your XCP-ng hosts up-to-date. RPMs are already available!

Remember you can update from the command line with yum update, but also use Xen Orchestra to do it on your whole pool just by clicking on “Install pool patches”! If you want to remember this, don’t forget about our official Wiki.

You can see the list of updates in the host view:

10 Responses

  1. Ringo says:

    thanks for the patches guys! are there also updates for xcp-ng 7.4?

    • olivierlambert says:

      That’s a good question. Short answer: not planned.

      Long answer: we’d like to avoid doing that for multiple reasons: Citrix won’t follow for long 7.4 support either, so focusing on the latest “stable” is probably better. Maybe, in the future, we’ll have a kind of “LTS”, but I can’t promise that.

      Also, we try to work to keep the upgrade easiest as possible (the “yum” possibility to go from XCP-ng 7.4 to 7.5), so we won’t have to backport stuff, which can lead to massive amount of work.

      However, we are open to discuss that choice in our forum 🙂

      • Ringo says:

        wow, thanks for the fast reply. I’ve just figured out while upgrading my pool to 7.5 from 7.4 that I can’t migrate local storage vms during upgrade and I don’t have shared storage. shutting down the vms is at the moment not really an option, that’s why I’m asking 🙂 is it planned for the future, that it is possible to migrate local storage machines to an already updated host? would be nice 🙂 cheers Ringo

        • olivierlambert says:

          I don’t see why you couldn’t. Migrate VMs from the pool master to another host (within the pool or not), upgrade/reboot this host, then migrate back the VM. You can always migrate a VM from older to newer versions.

          • Ringo says:

            oh, that’s strange – it’s working to migrate all VMs from the poolmaster to the slave, but if I want to move them back after upgrading, I’m getting the error:
            "message": "NOT_SUPPORTED_DURING_UPGRADE()",
            "stack": "XapiError: NOT_SUPPORTED_DURING_UPGRADE()

            … so I thought its because they are on local storage and this is not supported, VMs on shared storage are working fine.

          • olivierlambert says:

            Never saw this error previously. Please open a post on the forum.

  2. Stefan says:

    Hello,
    when I use this tool

    https://github.com/speed47/spectre-meltdown-checker

    to check the security issues on my fully patched xcp-ng 7.5 system , I’m still vulnerable to the following variants:

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    CVE-2018-3639 [speculative store bypass] aka ‘Variant 4’
    CVE-2018-3615/3620/3646 [L1 terminal fault] aka ‘Foreshadow & Foreshadow-NG’

    Is the script not working well with XenServer or are the security issues not closed by the patches?

    Greets Stefan

    • olivierlambert says:

      Tested in my lab, and I have the same result, both on XS 7.5 and XCP-ng 7.5 fully patched. I suspect the script not taking some distro modification into account (I think XenServer is using a patched version of GCC that the script probably doesn’t detect). I’ll try to get info from Citrix directly.

    • olivierlambert says:

      Okay I got some info. I confirm this is because of the script works.

      In your case, use xl dmesg | grep -i mitigation -A8 (it’s just an example, but you should be able to see mitigation available)

  3. @fbifido says:

    [quote]
    “message”: “NOT_SUPPORTED_DURING_UPGRADE()”,
    “stack”: “XapiError: NOT_SUPPORTED_DURING_UPGRADE()
    [/quote]

    This seems like the host has not completed the upgrade or xcp-ng-7.5 has not clear all the checkmarks for the upgrade.
    after the upgrade to a shutdown, then power back on, then a yum upgrade or yum update, then a reboot & try again.

Leave a Reply

Your email address will not be published. Required fields are marked *