Citrix Hypervisor Security Incident
Updated by Keith Kirkland
High Level Summary of the Security Advisory
Citrix, a DaaS and VDI solutions company, which provides services that enable secure and efficient access to applications, desktops, and data from a variety of devices and locations. These services are designed to enhance productivity, flexibility, and data security for businesses through the utilization of virtualization, networking, and remote access solutions.
On October 10, 2023, Citrix issued an advisory outlining several issues affecting Citrix Hypervisor 8.2 CU1 LTSR, a software that can be used to run multiple virtual machines on a single physical machine. The security issues may allow malicious privileged code in a guest VM to:
- Compromise an AMD-based host via a passed through PCI device: CVE-2023-34326
- Compromise the host when a specific administrative action is taken (see Mitigating Factors below): CVE-2022-1304
- Cause the host to crash or become unresponsive: CVE-2023-34324
- Cause a different VM running on the AMD-based host to crash: CVE-2023-34327
Collectively, these issues have the following identifiers:
- CVE-2022-1304
- CVE-2023-20588
- CVE-2023-34324
- CVE-2023-34326
- CVE-2023-34327
Details of the discovered security issues can be found on the following link - Citrix Hypervisor Multiple Security Updates.
Mitigating Factors
- CVE-2023-34326 only affects systems that have both of a) a PCI device passed through to the guest VM by the host administrator and also b) an AMD CPU. Customers who are not using AMD CPUs and customers who are not using the PCI passthrough feature are not affected by this issue.
- CVE-2022-1304 is only exploitable at the point that the host administrator uses the “Restore Virtual Machine Metatdata” sub-option of the “Backup, Restore and Update” menu item in the on-host xsconsole interface. Customers who do not use this sub-option are not affected by this issue.
- CVE-2023-34327 only affects systems running on AMD CPUs. Customers who are not using AMD CPUs are not affected by this issue.
- CVE-2023-20588 only affects systems running on AMD Zen1 CPUs. Customers who are using other generations of AMD CPUs or who are not using AMD CPUs are not affected by this issue.
Should I be concerned?
Maybe. It depends on if you have a relationship with Citrix. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.
Note: This link specifically references vendor directory records. You may also want to search your Relationship List for "Citrix” to confirm.
What to do if you or your vendors have an active relationship with Citrix
Citrix has released hotfixes to address these issues. Citrix recommends that affected customers install these hotfixes and follow the instructions in the linked articles as their update schedule permits. The hotfixes can be downloaded from the following locations:
- CTX575070 - https://support.citrix.com/article/CTX575070
- CTX579955 - https://support.citrix.com/article/CTX579955
- CTX580401 - https://support.citrix.com/article/CTX580401
- CTX581053 - https://support.citrix.com/article/CTX581053
- CTX581108 - https://support.citrix.com/article/CTX581108
In addition, Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Furthermore, AMD has disclosed a security issue affecting certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, Citrix has included the AMD recommended product changes to mitigate this CPU hardware issue. This issue may allow code in a guest VM to determine values from previous integer divides in code running on the same CPU core: CVE-2023-20588
Citrix strongly recommends that all customers subscribe at https://support.citrix.com/user/alerts for receiving alerts when a Citrix security bulletin is created or modified.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please check the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.
--------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
Stay ahead of the curve with our Public Risk Notice Alerts!
Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.
Sign up today to fortify your organization's security.
The VISO TRUST team
—----------—----------—-----