Vulnerabilities Citrix patched in Hypervisor this week could allow for code executed in a virtual machine to cause denial of service on the host.
Formerly XenServer, Citrix Hypervisor is an open-source platform for virtualization (desktop, server, and cloud), allowing for the deployment of multiple virtual machines onto the same server, and offering integration with existing infrastructure.
Tracked as CVE-2021-28038 and CVE-2021-28688, the newly addressed vulnerabilities could be abused to cause the host to crash or become unresponsive. For that, an attacker would have to be able to execute privileged code in a guest virtual machine, Citrix explains.
The two vulnerabilities were found to impact all currently supported Hypervisor versions, including version 8.2 LTSR.
CVE-2021-28038 is a vulnerability identified in Linux kernel through 5.11.3, as used with Xen PV, and exists because of the lack of the necessary treatment for errors in the netback driver, leading to the host OS denial of service “during misbehavior of a networking frontend driver.”
CVE-2021-28688, on the other hand, was found to impact all Linux versions that include the fix for CVE-2021-26930 (XSA-365), a bug that impacts blkback’s grant mapping.
The new vulnerability could allow for a malicious or buggy frontend driver to cause resource leaks from a corresponding backend driver, thus leading to denial of service on the host. Linux versions as far back as 3.11 are likely affected.
Citrix this week also patched a third vulnerability (CVE-2020-35498) that affects Hypervisor 8.2 LTSR only, and which could result in malicious network traffic causing subsequent packets to be dropped.
The tech giant has released hotfixes that patch these vulnerabilities and is urging customers to apply these hotfixes as soon as possible. Furthermore, the company says it is notifying both customers and channel partners of these flaws.
The Cybersecurity and Infrastructure Security Agency (CISA) today issued a notification to encourage users and admins to review Citrix’ advisory and apply the available hotfixes.
“Citrix has released security updates to address vulnerabilities in Hypervisor (formerly XenServer). An attacker could exploit some of these vulnerabilities to cause a denial-of-service condition,” CISA notes.
Related: Citrix Releases Updates to Prevent DDoS Attacks
Related: Organizations Quick to Patch Critical Citrix ADC Vulnerability
