June 2024 Security and Maintenance Update

Security Jun 17, 2024

New bugfix, enhancement and security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

We usually queue non-critical fixes or improvements for a grouped release, to avoid unnecessary maintenance tasks on your pools. This is one such grouped release, grouped along with a set of security updates.

Given this groups maintenance updates and security updates, it is strongly advised for all users to update their hosts.

🔒 Security Updates

  • qemu: CVE-2024-5661 - XenServer security bulletin - Fixes to prevent a DoS on hosts that could be caused by a malicious guest's administrator.
  • openssh: We rebased on CentOS 7's openssh-7.4p1-23.el7_9 to include fixes for various CVEs. The update also changes the way default ciphers and algorithms are set. See dedicated section below. The following CVEs are fixed:
    • CVE-2023-38408: Possible remote code execution if an agent is forwarded to an attacker-controlled system.
    • CVE-2023-48795¹: This is the terrapin-attack, it could allow attacker to downgrade the connection's security by truncating the extension negotiation message, enabling them to use a less secure authentication algorithms.
    • CVE-2021-41617: Could lead to privilege escalation through the use of AuthorizedKeysCommand and AuthorizedPrincipalsCommand that could be running with sshd group permissions if the configuration specifies running the command as a different user.
  • curl: Updated to version 8.6.0, including fix for the critical CVE-2023-38545¹ vulnerability allowing an attacker to trigger a heap buffer overflow through the SOCKS5 proxy handshake.
  • sudo: Updated to a more recent release to fix some CVEs¹, none of which are critical in the context of XCP-ng as far as we can tell.
¹: XenServer published updates for openssh, curl and sudo together as hotfix XS82ECU1063, whose only description is "This hotfix includes upstream code changes that may reduce false-positive reports for the following CVEs: CVE-2023-38545 (curl), CVE-2023-48795 (openssh) and CVE-2023-28486 (sudo)." We are not sure what this "false-positive reports" statement means, but what appears to us is that anyway the CVEs fixed were clearly either not exploitable, or not critical, in the context of XCP-ng.
  • microcode_ctl: Updated to Intel's IPU 2024.2 release. Contains a mitigation for CVE-2023-45733 where a race condition may allow information disclosure.
  • linux-firmware: Update to AMD firmware to the 2024-05-03 drop. What fixes this contains exactly was not described by AMD.
Updated firmwares are provided as a convenience to help mitigates hardware vulnerabilities and other bugs.
Updating your hardware's firmware remains the preferred way to update microcode, and any newer microcode found in the firmware will take precedence over the microcode we provide in XCP-ng.

ℹ️ About OpenSSH, ciphers and algorithms

To ensure that the lists of authorized Ciphers, algorithms, etc., defined by XenServer's security team are applied, XenServer packagers had decided that any change they had to make would plainly overwrite /etc/ssh/sshd_config and /etc/ssh/ssh_config. Although we discourage customizing XCP-ng's configuration too far, we didn't think it would be acceptable for our users than these files be overwritten without any notice.

So we looked for another approach, and decided for this: we don't define these keys (Ciphers, MACs, KexAlgorithms, HostKeyAlgorithms) in the configuration files anymore. Now, we define them at build time, directly in the built binaries.

If you need to override them, you can still do so in the configuration files. But then this means you become responsible of their future update, whenever a cipher or algorithm starts being considered weak, as this will override the built-in settings defined by our security team.

The update process will attempt to be smart and will remove the definition of the above keys from /etc/ssh/sshd_config and /etc/ssh/ssh_config, but only if you had not touched these lines. If you have brought customizations to these keys, then we will leave them as they were. In this case, this means that any future change our security team may make to the built-in values will not be applied to your hosts, because your changes in the configuration files will override the built-ins.. If you are in this situation, you have to choose: either remove these lines manually, or make sure you keep them updated by yourself according to your security policy.

You can check what configuration is applied to your instance of sshd with: sshd -T.

✨ New Feature

  • sm: adds the new largeblock storage driver, which is a local SR driver which workarounds the current limitation our storage stack has with 4KiB-block-only devices, by transparently emulating a 512B block size (at some performance cost, obviously). More about it in this forum thread. sm was also rebased on Citrix Hypervisor's hotfix XS82ECU1065.

🪲 Bug Fix and Updates

  • xapi: Synced with Citrix Hypervisor hotfixes XS82ECU1064 and XS82ECU1053. Various fixes. Check the hotfixes descriptions.
    • We also added a fix to make the small web server managed by XAPI report accurate mimetypes for files it serves. This is important for XO Lite (which is not installed by default on XCP-ng 8.2, but can be if you need it).
  • tzdata: Updated timezone data.


David Morel

Along with Samuel Verschelde

Hypervisor & Kernel Software Engineer at Vates and XCP-ng Security Coordinator. Open Source enthousiast, using IRC for everything. Raccoons lover.