6.1 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%
Two issues have been identified in Citrix Hypervisor that may, if exploited, allow privileged code in an HVM guest VM to compromise or crash the host. These issues only apply in specific configurations; furthermore, Citrix believes that there would be significant difficulty in successfully executing these specific attacks.
CVE-2020-15565: insufficient cache write-back under VT-d
This issue may allow the administrator of an HVM guest VM to compromise the host. This issue is only applicable to hosts where the host administrator has explicitly assigned a PCI-passthrough device to the attacking VM. Hosts with AMD CPUs are not affected. Hosts where Hardware Assisted Paging (HAP) has been disabled for the attacking VM, or where the host CPU does not support HAP, are not affected.
CVE-2020-15563: inverted code paths in x86 dirty VRAM tracking
This issue may allow the administrator of an HVM guest VM to crash the host. This issue is only applicable to hosts that do not have HAP (or deployments where the host administrator has explicitly enabled shadow paging for the attacking VM). Furthermore, the console of the attacking VM must be being actively consumed e.g. by monitoring it from XenCenter.
CVE-2020-15565 affects all supported releases of Citrix Hypervisor, up to and including Citrix hypervisor 8.2 LTSR.
CVE-2020-15563 affects Citrix Hypervisor 8.2 LTSR, Citrix Hypervisor 8.1 and Citrix Hypervisor 8.0.
See the per-issue descriptions above. Note in particular that customers who have not assigned PCI passthrough devices to untrustworthy guests and are using hosts with HAP support and have not explicitly enabled shadow paging are not at risk from these issues. Most recent CPUs have HAP support (known as EPT on Intel systems).
Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as soon as their patching schedule permits. The hotfixes can be downloaded from the following locations:
Citrix Hypervisor 8.2 LTSR: CTX277444 – <https://support.citrix.com/article/CTX277444>
Citrix Hypervisor 8.1: CTX277443 – <https://support.citrix.com/article/CTX277443>
Citrix Hypervisor 8.0: CTX277442 – <https://support.citrix.com/article/CTX277442>
Citrix XenServer 7.1 LTSR CU2: CTX277441 – <https://support.citrix.com/article/CTX277441>
Citrix XenServer 7.0: CTX277440 – <https://support.citrix.com/article/CTX277440>
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at <https://www.citrix.com/about/trust-center/vulnerability-process.html>.
Date | Change |
---|---|
2020-07-08 | Initial Publication |
CPE | Name | Operator | Version |
---|---|---|---|
citrix hypervisor | le | 8.2 | |
citrix hypervisor | le | 8.1 | |
citrix hypervisor | le | 8.0 | |
citrix xenserver | le | 7.1 | |
citrix xenserver | le | 7.0 |
6.1 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:P/I:P/A:C
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.2%