A number of security issues have been identified in certain Intel CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines, or the hypervisor that are, or have recently been, running on the same CPU core. This blog will discuss these new vulnerabilities and provide recommendations on how to address them in your Citrix environments. These newly identified security issues belong to the same class of vulnerabilities that previously included Meltdown, Spectre, and L1 Terminal Fault (L1TF) vulnerabilities, collectively known as speculative side channel methods (see Introduction to Speculative Execution Side Channel Methods for more details).
Collectively, this group of vulnerabilities is called microarchitectural data sampling (MDS). The table below provides an overview of these vulnerabilities together with their CVE number and Intel’s assigned CVSS score:
Vulnerability Name | CVE | CVSS Vulnerability Score |
Microarchitectural Load Port Data Sampling (MLPDS) | CVE-2018-12127 | 6.5 |
Microarchitectural Store Buffer Data Sampling (MSBDS) | CVE-2018-12126 | 6.5 |
Microarchitectural Fill Buffer Data Sampling (MFBDS) | CVE-2018-12130 | 6.5 |
Microarchitectural Uncacheable Data Sampling (MDSUM) | CVE-2019-11091 | 3.8 |
MDS only refers to methods that involve microarchitectural structures other than level 1 data cache — it is different from Meltdown or L1TF. These structures are much smaller than L1 cache, hold less data, and are overwritten more frequently. However, with a large enough data sample, ability to change the target machine’s behavior, or simply given enough time, an attacker might be able to compromise confidentiality of the system.
Customers with AMD CPUs are believed to be unaffected by these issues. A list of affected Intel CPUs can be found at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html. For some of the affected processors, Intel is providing microcode updates to help mitigate the issue. These microcode updates, however, are just one step in mitigating the vulnerability. Hypervisors and guest operating systems will also need to be updated to complete the mitigation.
Customers should evaluate their workload to determine if the mitigation of disabling hyperthreading is required in their environment and to understand the performance impact of this mitigation. Exploiting these vulnerabilities requires the ability to locally execute code in either user or kernel mode.
Key Variables for Performance Impact
Expected performance impact can vary great depending on various factors:
- CPU Overcommit – Hosts with heavy CPU overcommit ratios are more likely to experience performance/density degradation than those with 1:1 (or less) vCPU to pCPU allocation.
- Operating System – There are various Operating System factors involved, from different utilization rates, certain mitigation being available only on certain OS versions, or number of components that are available (client OS are often more heavily impacted than server OS).
- Workload – Most mitigations currently depend on some form of isolation between contexts (VMs, hypervisor, etc.) running on sibling SMT threads from a single core.
While the initial mitigation of disabling hyperthreading can have significant impact on overall performance, it can be reduced by re-evaluating your sizing, CPU allocation and CPU overcommit ratios.
What To Do
Best practices for mitigating threats of this nature include segregation of end-user environments from privileged user environments and critical business-application infrastructure. This can be done with virtualization and network segmentation.
We recommend that all Citrix Virtual Apps and Desktops customers immediately update their microcode/BIOS, hypervisors, and operating systems. Look to your manufacturer for additional details and patch release dates.
Citrix Consulting is also offering hands-on assistance with the mitigation process for vulnerability issues identified in CPU architectures. This custom engagement can help mitigate security risk while controlling negative effects and optimizing the environment. If you are interested in this offering, contact your local sales representative.
To read the latest information about our approach to security, privacy, and compliance, visit the Citrix Trust Center. You can also contact our Citrix Security Response Team at Citrix Trust Center if you would like to report a product vulnerability or a Citrix service security issue. We also recommend registering for notifications of security bulletins and updates.
An advisory from Intel can be found at Microarchitectural Data Sampling Advisory from Intel.
UPDATE: For our Citrix Hypervisor customers, we have prepared a new Citrix Security bulletin discussing the impact and recommended mitigations: https://support.citrix.com/article/CTX251995