August 2023 Security Update
New security and bugfix updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
📋 Summary
Several vulnerabilities have been discovered in Intel and AMD CPUs and are addressed by microcode, Xen, and XAPI updates.
In addition to this, Xen is updated for better hardware support, Intel and AMD microcodes are updated to the latest, and we also update other components in XCP-ng for bug fixes and small improvements.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.
🔒 Fixed vulnerabilities
🔸XSA-432: CVE-2023-34319. Under Linux, a buffer overrun in netback driver can be triggered due to unusual packets. This behavior was due to the fix in the XSA-423 which didn't account an extreme case of an entire packet being split into as many pieces as permitted by the protocol and still being smaller than the area that's dealt with to keep all headers together. It is possible to crash a host from a VM, with malicious and privileged code.
🔸XSA-434: CVE-2023-20569. Researchers from ETH Zurich have extended their prior research (XSA-422, Branch Type Confusion, a.k.a Retbleed) and have discovered INCEPTION, also known as RAS (Return Address Stack) Poisoning, and Speculative Return Stack Overflow. An attacker might be able to infer the contents of memory belonging to other guests. This CVE only affects hypervisors running on AMD CPUs with Zen 3 or 4 microarchitectures.
🔸XSA-435: CVE-2022-40982. A security issue in certain Intel CPUs may allow an attacker to infer data from different contexts on the same core.
🐛 Bug fixes
Here is the list of bug fixes per component.
XAPI
- The host will continue to utilize the previous value to connect to the iSCSI target if you try to modify the host initiator IQN for an iSCSI target that is already connected with a different IQN.
- The private key of a certificate may be wrongly refused while installing it on your hypervisor server. This behavior is caused by overly strict cryptographic checking.
kernel
- Intel CPU processors (Intel Xeon 84xx/64xx/54xx/44xx/34xx, Sapphire Rapids and possibly others) reported ACPI processor-related data incorrectly to the hypervisor.
lldpad
- The FCoE service can have a memory leak that could use up dom0 memory.
- A resource leak in the FCoE service can crash the service.
- When trying to create an LACP bond using Cisco Nexus switches, the host could have intermittent connection problems.
✨ Other changes - Improvements
We took that security update opportunity to bundle other minor improvements which were ready to release.
Xen + XAPI
- Expose MSR_ARCH_CAPS to guests on all Intel hardware by default.
AMD microcode
- Expose additional features for Intel CPUs, especially for Cascade Lake or later Intel CPUs.
- Updated to the latest AMD firmware for processor family 19h (August 8th 2023 release).
Intel microcode
- Update to IPU 2023.3
xcp-ng-xapi-plugins
- The updater plugin, used by Xen Orchestra to apply updates, can now also install new packages (this will be used to deploy XOSTOR from Xen Orchestra).
Guest templates
- Added template for Debian 12 Bookworm
XOSTOR
- Update of some packages used by XOSTOR (blktap, tzdata...).
📚 References
Citrix Hypervisor Security Bulletin:
Citrix Hypervisor Hotfixes:
- Linux kernel: XS82ECU1028 and XS82ECU1042
- Xen, Intel microcode, AMD microcode: XS82ECU1045
- XAPI: XS82ECU1033 and XS82ECU1040
- lldpad: XS82ECU1032