| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Citrix XenDesktop
Citrix XenApp, XenDesktop: privilege escalation via Memory Permission
Synthesis of the vulnerability
A local attacker can potentially manipulate the memory of Citrix XenApp or XenDesktop, in order to escalate his privileges.
Impacted products: XenApp, XenDesktop.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 03/08/2016.
Identifiers: CTX215460, CVE-2016-6493, VIGILANCE-VUL-20302.
Description of the vulnerability
The Citrix XenApp and XenDesktop products use shared memory.
However, access permissions to some memory areas are incorrect.
A local attacker can therefore potentially manipulate the memory of Citrix XenApp or XenDesktop, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Citrix XenDesktop: creation of insecrure configuration with Citrix Studio
Synthesis of the vulnerability
An attacker can make profit of insufficient access control rules as created by Studio of Citrix XenDesktop compared to the rules desired by the administrator.
Impacted products: XenDesktop.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 01/06/2016.
Identifiers: CERTFR-2016-AVI-184, CTX213045, CVE-2016-4810, VIGILANCE-VUL-19756.
Description of the vulnerability
The Citrix XenDesktop product includes an application Studio for configuration editing.
However, this application may create insecure access rules.
An attacker can therefore make profit of insufficient access control rules as created by Studio of Citrix XenDesktop compared to the rules desired by the administrator.
Full Vigil@nce bulletin... (Free trial) |
glibc: buffer overflow of getaddrinfo
Synthesis of the vulnerability
An attacker, who owns a malicious DNS server, can reply with long data to a client application using the getaddrinfo() function of the glibc, in order to trigger a denial of service, and possibly to run code in the client application.
Impacted products: ArubaOS, Blue Coat CAS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco Catalyst, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Cisco Prime DCNM, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco Wireless IP Phone, Cisco Wireless Controller, XenDesktop, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, ExtremeXOS, BIG-IP Hardware, TMOS, Fedora, QRadar SIEM, Trinzic, NSM Central Manager, NSMXpress, McAfee Email Gateway, McAfee MOVE AntiVirus, VirusScan, McAfee Web Gateway, openSUSE, openSUSE Leap, Palo Alto Firewall PA***, PAN-OS, RealPresence Distributed Media Application, Polycom VBP, RHEL, ROX, RuggedSwitch, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware vSphere, VMware vSphere Hypervisor, WindRiver Linux.
Severity: 4/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 16/02/2016.
Revision date: 17/02/2016.
Identifiers: 046146, 046151, 046153, 046155, 046158, 1977665, 478832, 479427, 479906, 480572, 480707, 480708, ARUBA-PSA-2016-001, BSA-2016-003, BSA-2016-004, CERTFR-2016-AVI-066, CERTFR-2016-AVI-071, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cisco-sa-20160218-glibc, CTX206991, CVE-2015-7547, ESA-2016-020, ESA-2016-027, ESA-2016-028, ESA-2016-029, ESA-2016-030, FEDORA-2016-0480defc94, FEDORA-2016-0f9e9a34ce, JSA10774, KB #4858, openSUSE-SU-2016:0490-1, openSUSE-SU-2016:0510-1, openSUSE-SU-2016:0511-1, openSUSE-SU-2016:0512-1, PAN-SA-2016-0021, RHSA-2016:0175-01, RHSA-2016:0176-01, RHSA-2016:0225-01, SA114, SB10150, SOL47098834, SSA:2016-054-02, SSA-301706, SUSE-SU-2016:0470-1, SUSE-SU-2016:0471-1, SUSE-SU-2016:0472-1, SUSE-SU-2016:0473-1, USN-2900-1, VIGILANCE-VUL-18956, VMSA-2016-0002, VMSA-2016-0002.1, VN-2016-003.
Description of the vulnerability
The glibc library implements a DNS resolver (libresolv).
An application can thus call the getaddrinfo() function, which queries DNS servers. When the AF_UNSPEC type is used in the getaddrinfo() call, two DNS A and AAAA queries are sent simultaneously. However, this special case, and a case with AF_INET6 are not correctly managed, and lead to an overflow if the reply coming from the DNS server is larger than 2048 bytes.
An attacker, who owns a malicious DNS server, can therefore reply with large data to a client application using the getaddrinfo() function of the glibc, in order to trigger a denial of service, and possibly to run code in the client application.
Full Vigil@nce bulletin... (Free trial) |
Citrix XenDesktop: privilege escalation via Pooled Random Desktop Groups
Synthesis of the vulnerability
An attacker can use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Impacted products: XenDesktop.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 10/07/2014.
Identifiers: CERTFR-2014-AVI-310, CTX139591, CVE-2014-4700, VIGILANCE-VUL-15031.
Description of the vulnerability
The Citrix XenDesktop product can be deployed in mode Pooled Random Desktop Groups, with ShutdownDesktopsAfterUse disabled.
However, in this configuration, an attacker can access to the desktop of another user.
An attacker can therefore use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
OpenSSL: information disclosure via Heartbeat
Synthesis of the vulnerability
An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, MIMEsweeper, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, MBS, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.
Description of the vulnerability
The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.
Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).
An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Full Vigil@nce bulletin... (Free trial) |
Citrix XenDesktop: policy bypass after an upgrade
Synthesis of the vulnerability
When the Citrix XenDesktop product was upgraded from version 5.x to 7.0, an attacker can bypass the security policy previously defined by the administrator.
Impacted products: XenDesktop.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 23/10/2013.
Identifiers: BID-63413, CERTA-2013-AVI-598, CTX138627, CVE-2013-6077, VIGILANCE-VUL-13633.
Description of the vulnerability
The Citrix XenDesktop product uses security policy rules, which have permissions.
However, after an upgrade from version 5.x to 7.0, permissions are not correctly updated.
When the Citrix XenDesktop product was upgraded from version 5.x to 7.0, an attacker can therefore bypass the security policy previously defined by the administrator.
Full Vigil@nce bulletin... (Free trial) |
Xen: denial of service via the paging management
Synthesis of the vulnerability
An attacker can raise a fatal exception in the page table management of Xen, in order to trigger a denial of service.
Impacted products: XenDesktop, XenServer, Debian, Fedora, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user console.
Creation date: 27/06/2013.
Identifiers: BID-60799, CERTA-2013-AVI-394, CERTA-2013-AVI-496, CTX138134, CTX138633, CVE-2013-1432, DSA-3006-1, FEDORA-2013-11837, FEDORA-2013-11871, FEDORA-2013-11874, openSUSE-SU-2013:1392-1, openSUSE-SU-2013:1404-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-13010, XSA-58.
Description of the vulnerability
In a Xen based system, memory page frames are managed both by Xen and by the guest systems.
Xen frees pages frames when no guest system uses them anymore. However, when fixing the vulnerability described in VIGILANCE-VUL-12747, an error in the reference counter handling has been introduced. A malicious guest system can then make Xen prematurely free a page, which leads to an exception in Xen at the first access after free, and then to host system halt.
An attacker can therefore raise a fatal exception in the page table management of Xen, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Xen: privilege escalation via libelf
Synthesis of the vulnerability
An attacker, who is administrator in a PV/HVM kernel, can load a malicious kernel/firmware, to corrupt the memory of libelf of Xen, in order to escalate his privileges on the host system.
Impacted products: XenDesktop, XenServer, Debian, Fedora, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 05/06/2013.
Identifiers: BID-60701, BID-60702, BID-60703, CERTA-2013-AVI-380, CERTA-2013-AVI-496, CTX138058, CTX138633, CVE-2013-2194, CVE-2013-2195, CVE-2013-2196, DSA-3006-1, FEDORA-2013-10929, FEDORA-2013-10941, SUSE-SU-2013:1314-1, SUSE-SU-2014:0411-1, SUSE-SU-2014:0446-1, SUSE-SU-2014:0470-1, VIGILANCE-VUL-12914, XSA-55.
Description of the vulnerability
The Xen product uses libelf, in order to analyze ELF data of the kernel/firmware.
However, libelf is impacted by several integer overflows and memory corruptions.
An attacker, who is administrator in a PV/HVM kernel, can therefore load a malicious kernel/firmware, to corrupt the memory of libelf of Xen, in order to escalate his privileges on the host system.
Full Vigil@nce bulletin... (Free trial) |
Xen: denial of service via pciback
Synthesis of the vulnerability
An attacker, who is located in a guest system, can trigger numerous PCI errors, in order to overload the host system.
Impacted products: XenDesktop, XenServer, Debian, Fedora, Linux, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 05/02/2013.
Identifiers: BID-57740, CERTA-2013-AVI-098, CERTA-2013-AVI-158, CERTA-2013-AVI-259, CERTA-2013-AVI-412, CERTA-2013-AVI-496, CTX136540, CTX138633, CVE-2013-0231, DSA-2632-1, FEDORA-2013-2728, MDVSA-2013:194, openSUSE-SU-2013:0395-1, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, openSUSE-SU-2013:1619-1, RHSA-2013:0747-01, SUSE-SU-2013:0674-1, SUSE-SU-2013:0759-1, SUSE-SU-2013:0759-2, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12380, XSA-43.
Description of the vulnerability
The pciback_enable_msi() function of the drivers/xen/pciback/conf_space_capability_msi.c file is used to enable MSI (Message Signaled Interrupts) on PCI. It is called via the XEN_PCI_OP_enable_msi operation.
If MSI cannot be enabled, this function calls printk() to display a kernel error message. However, there is no limit on the number of times that this function can be called.
An attacker, who is located in a guest system, can therefore trigger numerous PCI errors, in order to overload the host system.
Full Vigil@nce bulletin... (Free trial) |
Xen: denials of service via netback
Synthesis of the vulnerability
A local attacker, who is located in a Xen guest system, can trigger two denials of service via netback.
Impacted products: XenDesktop, XenServer, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 05/02/2013.
Identifiers: BID-57743, BID-57744, CERTA-2013-AVI-098, CERTA-2013-AVI-158, CERTA-2013-AVI-259, CERTA-2013-AVI-375, CERTA-2013-AVI-496, CTX136540, CTX138633, CVE-2013-0216, CVE-2013-0217, MDVSA-2013:176, openSUSE-SU-2013:0395-1, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, RHSA-2013:0747-01, SUSE-SU-2013:0674-1, SUSE-SU-2013:0759-1, SUSE-SU-2013:0759-2, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12379, XSA-39.
Description of the vulnerability
The netback driver of Xen is located in the kernel of Dom0, and it is connected to virtual network devices of DomU systems. It is impacted by two vulnerabilities.
An attacker can trigger a large loop. [severity:1/4; BID-57743, CVE-2013-0216]
An attacker can trigger a memory leak. [severity:1/4; BID-57744, CVE-2013-0217]
A local attacker, who is located in a Xen guest system, can therefore trigger two denials of service via netback.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
|