Description of Problem

A security issue has been identified that may allow privileged code running in a guest VM to which a PCI passthrough device has been allocated to cause other VMs with PCI passthrough devices to fail to boot, crash or become unresponsive.

This only applies to guest VMs where the host administrator has explicitly allocated a host PCI device to the guest VM (“PCI Passthrough”).

This issue has the following CVE identifier:

CVE ID	Description	Vulnerability Type	Pre-conditions
CVE-2021-3308	An attacker with the ability to execute privileged code in a guest VM to which a PCI passthrough device has been allocated can cause other VMs with PCI passthrough devices to fail to boot, crash or become unresponsive.	CWE-664: Improper Control of a Resource Through its Lifetime	Administrator access in guest to which a PCI passthrough device has been allocated

The only supported version of Citrix Hypervisor affected by this issue is 8.2 LTSR.
 

What Customers Should Do

Citrix has released a hotfix to address this issue. Citrix recommends that affected customers install this hotfix as their patching schedule allows.  The hotfix can be downloaded from the following location:
Citrix Hypervisor 8.2 LTSR: CTX292625 – https://support.citrix.com/article/CTX292625
 

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
 

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.
 

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: –  https://www.citrix.com/about/trust-center/vulnerability-process.html
 

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
 

Changelog

Date	Change
2021-02-04	Initial Publication