Xen and Intel microcode security updates
New security updates are available for Xen and for Intel microcode.
Security updates are available for the two supported releases of XCP-ng: 7.6 and 8.0.
To update, follow this guide. Join the discussion on our community forum.
Reboot after updating.
Related: https://support.citrix.com/article/CTX266932
XSA-308: possible guest crash
Reference: http://xenbits.xen.org/xsa/advisory-308.html
Impact
HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service.
Vulnerable systems
Only systems supporting VMX hardware virtual extensions (Intel, Cyrix or Zhaoxin CPUs) are affected. [...] AMD systems are unaffected.
Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.
Resolution
Apply the updates on your XCP-ng hosts and reboot.
XSA-309: possible host crash from PV guest
Reference: http://xenbits.xen.org/xsa/advisory-309.html
Impact
A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leak possibilities cannot be excluded as well.
Vulnerable systems
Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.
Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables [...] [by] adding pv-linear-pt=false on the command-line, are not vulnerable.
Mitigation
If you don't have any guests which need linear pagetables, you can disable the feature by adding pv-linear-pt=false to your Xen command-line. NetBSD is known to use linear pagetables; Linux and MiniOS are known not to use linear pagetables.
Resolution
Apply the updates on your XCP-ng hosts and reboot.
XSA-310: privilege escalation from malicious PV guests
Reference: http://xenbits.xen.org/xsa/advisory-310.html
Impact
A malicious PV guest administrator may be able to escalate their privilege to that of the host.
Vulnerable systems
Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.
Note that these attacks require very precise timing, which may be difficult to exploit in practice.
Mitigation
If you don't have any guests which need linear pagetables, you can disable the feature by adding pv-linear-pt=false to your Xen command-line. NetBSD is known to use linear pagetables; Linux and MiniOS are known not to use linear pagetables.
Resolution
Apply the updates on your XCP-ng hosts and reboot.
XSA-311: malicious HVM guest with PCI pass-through on AMD may crash the host
Reference: http://xenbits.xen.org/xsa/advisory-311.html
Impact
A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out.
Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure.
Vulnerable systems
Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable.
Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
Only HVM guests can exploit the vulnerability. PV and PVH guests cannot.
Resolution
Apply the updates on your XCP-ng hosts and reboot.
Intel microcode update
Impact
Due to an issue in some Intel CPU hardware, unprivileged code running within a guest VM may be able to compromise that guest VM.
Vulnerable systems
The list of vulnerable CPUs can be found at: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html.
Resolution
Apply the updates on your XCP-ng hosts and reboot.
