Citrix Patches DoS Vulnerabilities in Hypervisor

Vulnerabilities Citrix patched in Hypervisor this week could allow for code executed in a virtual machine to cause denial of service on the host.


Formerly XenServer, Citrix Hypervisor is an open-source platform for virtualization (desktop, server, and cloud), allowing for the deployment of multiple virtual machines onto the same server, and offering integration with existing infrastructure.


Tracked as CVE-2021-28038 and CVE-2021-28688, the newly addressed vulnerabilities could be abused to cause the host to crash or become unresponsive. For that, an attacker would have to be able to execute privileged code in a guest virtual machine, Citrix explains.


The two vulnerabilities were found to impact all currently supported Hypervisor versions, including version 8.2 LTSR.


CVE-2021-28038 is a vulnerability identified in Linux kernel through 5.11.3, as used with Xen PV, and exists because of the lack of the necessary treatment for errors in the netback driver, leading to the host OS denial of service “during misbehavior of a networking frontend driver.”


CVE-2021-28688, on the other hand, was found to impact all Linux versions that include the fix for CVE-2021-26930 (XSA-365), a bug that impacts blkback's grant mapping.


The new vulnerability could allow for a malicious or buggy frontend driver to cause resource leaks from a corresponding backend driver, thus leading to denial of service on the host. Linux versions as far back as 3.11 are likely affected.


Citrix this week also patched a third vulnerability (CVE-2020-35498) that affects Hype ..