Citrix XenServer QEMU Display Geometry Resize Handling Guest-to-Host Code Execution (CTX221578)

2017-03-2400:00:00

www.tenable.com

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by a guest-to-host arbitrary code execution vulnerability in the QEMU component due to a failure to immediately complete resize operations when a blank mode is synchronously selected for the next update interval. Since other console components will already be operating with the new size values before the operation is completed, an attacker within a guest can exploit this issue to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code on the host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97948);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2016-9603");
  script_bugtraq_id(96893);

  script_name(english:"Citrix XenServer QEMU Display Geometry Resize Handling Guest-to-Host Code Execution (CTX221578)");
  script_summary(english:"Checks for patches.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a guest-to-host arbitrary code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Citrix XenServer running on the remote host is missing
a security hotfix. It is, therefore, affected by a guest-to-host
arbitrary code execution vulnerability in the QEMU component due to a
failure to immediately complete resize operations when a blank mode is
synchronously selected for the next update interval. Since other
console components will already be operating with the new size values
before the operation is completed, an attacker within a guest can
exploit this issue to cause a heap-based buffer overflow, resulting in
a denial of service condition or the execution of arbitrary code on
the host.");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX221578");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate hotfix according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9603");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/24");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("citrix_xenserver_version.nbin");
  script_require_keys("Host/XenServer/version", "Host/local_checks_enabled", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

app_name = "Citrix XenServer";
version = get_kb_item_or_exit("Host/XenServer/version");
get_kb_item_or_exit("Host/local_checks_enabled");
patches = get_kb_item("Host/XenServer/patches");
vuln = FALSE;
fix = '';

if (version == "6.0.2")
{
  fix = "XS602ECC042"; # CTX221568
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^6\.2\.0")
{
  fix = "XS62ESP1058"; # CTX221569
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^6\.5\.0")
{
  fix = "XS65ESP1052"; # CTX221716
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^7\.0($|[^0-9])")
{
  fix = "XS70E031"; # CTX221571
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^7\.1($|[^0-9])")
{
  fix = "XS71E005"; # CTX221590
  if (fix >!< patches) vuln = TRUE;
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

if (vuln)
{
  port = 0;
  report = report_items_str(
    report_items:make_array(
      "Installed version", version,
      "Missing hotfix", fix
    ),
    ordered_fields:make_list("Installed version", "Missing hotfix")
  );
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_PATCH_INSTALLED, fix);

VendorProductVersionCPE
citrixxenservercpe:/a:citrix:xenserver

Vendor	Product	Version	CPE
citrix	xenserver		cpe:/a:citrix:xenserver

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9603

support.citrix.com/article/CTX221578

JSON

Related for CITRIX_XENSERVER_CTX221578.NASL