Security Experts:

Citrix Patches Hypervisor Vulnerabilities Allowing Host Compromise

Citrix has released patches for several vulnerabilities in Hypervisor that could result in privileged code executed in a guest virtual machine compromising or crashing the host.

The most severe of these flaws is CVE-2021-28697 (CVSS score of 7.8), which could lead to host compromise because Grant table v2 status pages become de-allocated in certain conditions, resulting in the hypervisor mapping them to multiple locations.

Because of that, the guest VM may maintain access to pages that might have been freed and then reused for another purpose. Thus, malicious privileged code running in a guest VM may have two or more vCPUs allocated to it.

Next in line is CVE-2021-28694 (CVSS score of 6.8), another page mapping issue. The bug is related to ACPI tables, which are allowed to declare memory that should pass the translation phase unaltered.

Some of these can be mapped to devices, and the hypervisor was found to fail to prevent guests from replacing device mappings explicitly assigned by the host administrator. This could lead to host denial of service (DoS), Citrix says.

Another DoS issue that Citrix addressed with this round of patches is CVE-2021-28698 (CVSS score of 5.5). The vulnerability exists because the hypervisor may take too long to iterate over the information stored on a domain’s grant mappings.

The fourth issue (CVE-2021-28699) could lead to host compromise if the administrator has modified guest or host grant table limits. Also leading to host compromise, the fifth bug (CVE-2021-28701) exists because the hypervisor would re-allocate pages to which the guest retained permissions.

The issues impact all currently supported versions of Citrix Hypervisor, except for CVE-2021-28699, which affects Citrix Hypervisor 8.2 LTSR only. Citrix has addressed the vulnerabilities with the release of hotfixes for Citrix Hypervisor 7.1 LTSR CU2 and Citrix Hypervisor 8.2 LTSR.

In a separate advisory, the United States Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to apply the necessary patches as soon as possible.

“Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to take control of an affected system,” CISA says.

Related: Citrix Patches Vulnerability in Workspace App for Windows

Related: Citrix Patches DoS Vulnerabilities in Hypervisor

Related: Citrix Releases Updates to Prevent DDoS Attacks Abusing Its Appliances

view counter