SynopsisA server virtualization platform installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in x86 instruction CMPXCHG8B due to legacy operand size overrides not being properly ignored when handling prefixes. A guest attacker can exploit this to disclose potentially sensitive information on the host system. Note that the ability to read a small amount of hypervisor memory is restricted to privileged-mode code in all guests except on Citrix XenServer 6.2 SP1 and 6.0.2CC, where the attack may also be performed from non-privileged-mode code in HVM guest VMs.
- A denial of service vulnerability exists when a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF. A guest attacker can exploit this to cause the host to hang or crash.
- A denial of service vulnerability exists due to a NULL pointer dereference flaw that is triggered when the hvmemul_vmfunc() function pointer uses inappropriate NULL checks before indirect function calls. A guest attacker can exploit this to cause the hypervisor to crash. Note that the ability of privileged-mode code in HVM guest VMs to crash the host is restricted to AMD systems running Citrix XenServer 7.0. (CVE-2016-10025)
SolutionApply the appropriate hotfix according to the vendor advisory.