Citrix has released patches for several vulnerabilities in Hypervisor that could result in privileged code executed in a guest virtual machine compromising or crashing the host.
The severe flaws is CVE-2021-28697 (CVSS score of 7.8), lead to host compromise because Grant table v2 status pages become de-allocated in certain conditions, resulting in the hypervisor mapping them to multiple locations.
The guest VM may maintain access to pages that might have been freed and then reused for another purpose. Thus, malicious privileged code running in a guest VM may have two or more vCPUs allocated to it.
Another flaw CVE-2021-28694 (CVSS score of 6.8), another page mapping issue. The bug is related to ACPI tables, which are allowed to declare memory that should pass the translation phase unaltered and mapped to devices, and the hypervisor was found to fail to prevent guests from replacing device mappings explicitly assigned by the host administrator. This could lead to host denial of service (DoS).
Another DoS issue that Citrix addressed with this round of patches is CVE-2021-28698 (CVSS score of 5.5). The vulnerability exists because the hypervisor may take too long to iterate over the information stored on a domain’s grant mappings.
The fourth issue CVE-2021-28699 could lead to host compromise if the administrator has modified guest or host grant table limits. Also leading to host compromise, the fifth bug CVE-2021-28701 exists because the hypervisor would re-allocate pages to which the guest retained permissions.
The issues impact all currently supported versions of Citrix Hypervisor, except for CVE-2021-28699, which affects Citrix Hypervisor 8.2 LTSR only. Citrix has addressed the vulnerabilities with the release of hotfixes for Citrix Hypervisor 7.1 LTSR CU2 and Citrix Hypervisor 8.2 LTSR