Citrix XenServer QEMU Display Geometry Resize Handling Guest-to-Host Code Execution (CTX221578)

High Nessus Plugin ID 97948

Synopsis

The remote host is affected by a guest-to-host arbitrary code execution vulnerability.

Description

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by a guest-to-host arbitrary code execution vulnerability in the QEMU component due to a failure to immediately complete resize operations when a blank mode is synchronously selected for the next update interval. Since other console components will already be operating with the new size values before the operation is completed, an attacker within a guest can exploit this issue to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code on the host.

Solution

Apply the appropriate hotfix according to the vendor advisory.

See Also

https://support.citrix.com/article/CTX221578

Plugin Details

Severity: High

ID: 97948

File Name: citrix_xenserver_CTX221578.nasl

Version: 1.8

Type: local

Family: Misc.

Published: 2017/03/24

Updated: 2019/11/13

Dependencies: 76770

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2016-9603

CVSS v2.0

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:citrix:xenserver

Required KB Items: Host/XenServer/version, Host/local_checks_enabled, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/03/14

Vulnerability Publication Date: 2017/03/14

Reference Information

CVE: CVE-2016-9603

BID: 96893