Enable mitigations for CVE-2018-12207
Article ID: CTX263718
Updated On:
Description
Depending on your hardware, your Citrix Hypervisor or XenServer installation may be affected by the security issue with the identifier CVE-2018-12207. Citrix provides the following hotfixes to mitigate this issue: XS70E075, XS71ECU2024, XS76E012, XS80E008. For more information, see Citrix Hypervisor Security Update.
The mitigations provided for this security issue can have a noticeable effect on performance. Citrix therefore recommends that customers carefully consider the relative impacts of not mitigating this issue against the performance impact and enable or disable the CVE-2018-12207 mitigations by following the instructions below.
Note: CVE-2018-12207 is not mitigated unless the hotfixes identified in Citrix Hypervisor Security Update have been applied and this protection has been explicitly enabled.
Enabling security mitigations
To enable mitigations for CVE-2018-12207 you must disable executable EPT superpages. Disabling executable EPT superpages does come with a performance impact, caused by increased iTLB pressure. The overhead is workload and CPU dependent.
Citrix Hypervisor 8.0
Citrix Hypervisor 8.0 provides a way to enable the CVE-2018-12207 mitigations at any point after you have installed the hotfix and rebooted, without you having to reboot your server again.
- In the host console, run the following command:
xl set-parameters ept=no-exec-sp
- (Optional) Complete the steps in the following 'All versions' section to ensure that the mitigation is enabled on subsequent boots of the server.
All versions
The mitigations can be enabled on any supported version of Citrix Hypervisor or XenServer by adding the Xen boot parameter: ept=no-exec-sp
To minimize the number of reboots required, this process can be completed before installing the hotfix, or after applying the hotfix but before rebooting the server. Both the hotfix and the ept=no-exec-sp flag are required to mitigate the issue.
- Check what ept flags you already have set. In the host console, run the following command:
/opt/xensource/libexec/xen-cmdline --get-xen ept
If you have no ept flags set, the command returns a blank line. Otherwise, the existing flags are returned, for example:
# /opt/xensource/libexec/xen-cmdline --get-xen ept
ept=no-ad - Set the updated ept flags.
If you have no existing ept flags, run the following command in the host console
/opt/xensource/libexec/xen-cmdline --set-xen ept=no-exec-sp
If you already have ept flags set, append no-exec-sp to the existing list, for example:
# /opt/xensource/libexec/xen-cmdline --set-xen ept=no-ad,no-exec-sp
(If the existing set of flags includes exec-sp, remove this flag)
- Reboot your Citrix Hypervisor or XenServer system.
Disabling security mitigations
If you have previously enabled these security mitigations and now want to disable them, complete the following steps:
Citrix Hypervisor 8.0
Citrix Hypervisor 8.0 provides a way to disable the CVE-2018-12207 mitigations at any point after you have installed the hotfix and rebooted, without you having to reboot your server again.
- In the host console, run the following command:
xl set-parameters ept=exec-sp - (Optional) Complete the steps in the following 'All versions' section to ensure that the mitigation is disabled on subsequent boots of the server.
All versions
The mitigations can be disabled on any version Citrix Hypervisor or XenServer by adding the Xen boot parameter: ept=exec-sp
- Check what ept flags you already have set. In the host console, run the following command:
/opt/xensource/libexec/xen-cmdline --get-xen ept
The existing flags are returned, for example:
# /opt/xensource/libexec/xen-cmdline --get-xen ept
ept=no-ad,no-exec-sp - Set the updated ept flags. If the existing set of flags includes no-exec-sp, remove this flag and append exec-sp to any remaining flags in the existing list, for example:
# /opt/xensource/libexec/xen-cmdline --set-xen ept=no-ad,exec-sp
-
Reboot your Citrix Hypervisor or XenServer system
