August 2020 XCP-ng Security Updates

Security updates are available for the two supported releases of XCP-ng: 8.0 and 8.1.

To update, follow this guide. You can also join the discussion on our community forum. You only need to restart VMs, not your hosts

Related: Citrix Hypervisor Security Bulletin

The fixed vulnerabilities are only believed to pose a risk in specific configurations (people using PCI passthrough to untrustworthy guests). If you don't use this feature, only deprivileged code execution is possible in the Control Domain. However, we strongly recommend applying this patch as soon as possible.

CVE-2018-17958: Qemu buffer overflow in emulated RTL8139

  • Impact: These integer overflows could occur while receiving packets and could lead to OOB stack buffer access, resulting in a DoS scenario.
  • Vulnerable systems: HVM guests using NIC emulation (with no network PV drivers) are vulnerable.
  • Resolution: Restart or migrate guests to a patched host, no need to reboot the host.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17958


XSA-335: Qemu USB out-of-bounds r/w access issue

  • Impact: An out-of-bounds read/write access flaw was found in the USB emulator of QEMU. This issue occurs while processing USB packets from a guest when USBDevice setup_len exceeds its data_buf[4096] in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
  • Vulnerable systems: All HVM guests. PCI passthrough makes this worse (privileged code execution in Control Domain).
  • Resolution: Restart or migrate guests to a patched host, no need to reboot the host.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14364 and https://xenbits.xen.org/xsa/advisory-335.html