Citrix fixed Hypervisor vulnerabilities this week, allowing code executed in a virtual machine to trigger a denial of service on the host.
Citrix Hypervisor, formerly XenServer, is an open-source platform for virtualization (desktop, server, and cloud), allowing several virtual machines to be installed on the same server and integrating with existing infrastructure.
The newly discussed vulnerabilities, known as CVE-2021-28038 and CVE-2021-28688, could be exploited to cause the host to crash or become unresponsive. Citrix states that an intruder will need to be able to run privileged code in a guest virtual machine to do so.
All currently supported Hypervisor versions, including version 8.2 LTSR, are affected by the two vulnerabilities.
CVE-2021-28038 is a vulnerability in the Linux kernel via version 5.11.3, as used with Xen PV, that exists due to a lack of error treatment in the netback driver, resulting in a denial of service to the host OS “during misbehaviour of a networking frontend driver.”
In contrast, CVE-2021-28688 was discovered to affect all Linux versions that contain the patch for CVE-2021-26930 (XSA-365), a bug that affects blkback’s grant mapping.
A malicious or buggy frontend driver may use the new vulnerability to trigger resource leaks from a corresponding backend driver, resulting in a denial of service on the host. It’s possible that Linux versions as old as 3.11 are affected.
Citrix also fixed a third vulnerability (CVE-2020-35498) this week that only affects Hypervisor 8.2 LTSR and could cause subsequent packets to be dropped due to malicious network traffic.
The tech giant has published hotfixes to correct these bugs, and consumers are advised to instal them as soon as possible. The organisation also appears to be notifying consumers and channel partners about the flaws.
The Cybersecurity and Infrastructure Protection Agency (CISA) has released a notice encouraging users and administrators to review Citrix’s advisory and apply the hotfixes that are accessible.
“Citrix has released security updates to fix Hypervisor vulnerabilities (formerly XenServer). Some of these flaws may be exploited by an attacker to trigger a denial-of-service condition, according to CISA.