CISA: Security Updates Issued for Citrix XenServer and Citrix Hypervisor (CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142)

Bar Refael

April 14, 2024

Citrix has announced the release of crucial security updates for XenServer and Citrix Hypervisor to address several vulnerabilities that could potentially allow cyber threat actors to gain control over affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged users and administrators to promptly review and apply these necessary updates.

Vulnerabilities Addressed:

  • CVE-2023-46842: Affects all deployments; could allow privileged code in a guest VM to crash the host.
  • CVE-2024-2201: Affects only Intel CPU deployments; may allow unprivileged code in a guest VM to infer memory contents of its own or other VMs on the same host.
  • CVE-2024-31142: Affects only AMD CPU deployments; similar potential for memory inference as CVE-2024-2201.

Update and Mitigation Guidance:

  • XenServer 8 Users: Updates are available through the Early Access and Normal update channels. Instructions for updating can be found at the XenServer documentation site.
  • Citrix Hypervisor 8.2 CU1 LTSR Users: A hotfix addressing these issues is available. Citrix advises installing this hotfix as per the update schedule permits. The hotfix is downloadable at CTX588044 – Citrix Support Article.

Additional Resources and Support:

Vulnerability Reporting:

  • Citrix encourages the reporting of security vulnerabilities. Details on their vulnerability response process and how to report security issues can be found at the Citrix Trust Center.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox