Citrix XenServer Multiple Vulnerabilities (CTX212736)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by multiple vulnerabilities.

Description :

The version of Citrix XenServer running on the remote host is affected
by multiple vulnerabilities in the bundled versions of OpenSSL and
QEMU :

- Multiple flaws exist in the bundled version of OpenSSL
in the aesni_cbc_hmac_sha1_cipher() and
aesni_cbc_hmac_sha256_cipher() functions that are
triggered when the connection uses an AES-CBC cipher and
AES-NI is supported by the server. A man-in-the-middle
attacker can exploit these issues to conduct a padding
oracle attack, resulting in the ability to decrypt the
network traffic. (CVE-2016-2107)

- A remote code execution vulnerability exists in the
bundled version of OpenSSL in the ASN.1 encoder
component due to an underflow condition that occurs when
attempting to encode the value zero represented as a
negative integer. An unauthenticated, remote attacker
can exploit this to corrupt memory, resulting in the
execution of arbitrary code. (CVE-2016-2108)

- An out-of-bounds write error exists in the bundled
version of QEMU in the vga_update_memory_access()
function that is triggered when access nodes are changed
after the register bank has been set. An attacker on the
guest can exploit this to execute arbitrary code with
the privileges of the host's QEMU process.
(CVE-2016-3710)

- An integer overflow condition exists in the bundled
version of QEMU in the vbe_update_vgaregs() function
that is triggered when setting certain VGA registers
while in VBE mode. An attacker on the guest can
exploit this to crash the host's QEMU process.
(CVE-2016-3712)

See also :

https://support.citrix.com/article/CTX212736

Solution :

Apply the appropriate hotfix as referenced in the vendor advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 91352 ()

Bugtraq ID: 90314
90316

CVE ID: CVE-2016-2107
CVE-2016-2108
CVE-2016-3710
CVE-2016-3712

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now