WARNING: NEW DENIAL-OF-SERVICE VULNERABILITY AFFECTS XEN SERVER & CITRIX HYPERVISOR, PATCHING ADVISED!

Image
Decorative image
Published : 27/09/2024

Reference:
Advisory #2024-230

Version:
1

Affected software:
XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR

Type:
Denial of Service (DoS)

CVE/CVSS:
CVE-2024-45817 CVSS: 6.2 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Sources

https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervisor-security-update-for-cve202445817?language=en_US

Risks

Citrix Hypervisor, built on the Xen Project, is a server virtualization platform designed for hosting, deploying, and managing virtual machines.

CVE-2024-45817, a denial-of-service vulnerability poses a HIGH risk to Availability, meaning an attacker could significantly disrupt an organization’s operations by exploiting it.

Description

Exploitation of CVE-2024-45817 by an attacker within a guest VM can lead to a host crash or unresponsiveness. In the x86 APIC (Advanced Programmable Interrupt Controller) architecture, errors are logged in a status register, and the OS can choose to receive an interrupt when new errors occur. However, if this error interrupt is configured with an illegal vector, it will trigger another error when the interrupt is raised. This causes Xen to enter recursion through the “vlapic_error” function. Although the recursion is bounded and errors only trigger interrupts when a new status bit is set, the lock protecting this state in Xen is taken recursively, leading to a deadlock.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates.

For customers using XenServer 8, updates are available to both the Early Access and Normal update channels at: https://docs.xenserver.com/en-us/xenserver/8/update.

For customers using Citrix Hypervisor 8.2 CU1 LTSR, a hotfix to address this issue is available at: https://support.citrix.com/s/article/CTX691652-hotfix-xs82ecu1077-for-citrix-hypervisor-82-cumulative-update-1

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://cybersecuritynews.com/citrix-xenserver-hypervisor-vulnerability/