The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Citrix XenDesktop

vulnerability announce CVE-2016-6493

Citrix XenApp, XenDesktop: privilege escalation via Memory Permission

Synthesis of the vulnerability

A local attacker can potentially manipulate the memory of Citrix XenApp or XenDesktop, in order to escalate his privileges.
Impacted products: XenApp, XenDesktop.
Severity: 2/4.
Creation date: 03/08/2016.
Identifiers: CTX215460, CVE-2016-6493, VIGILANCE-VUL-20302.

Description of the vulnerability

The Citrix XenApp and XenDesktop products use shared memory.

However, access permissions to some memory areas are incorrect. Technical details are unknown.

A local attacker can therefore potentially manipulate the memory of Citrix XenApp or XenDesktop, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2016-4810

Citrix XenDesktop: creation of insecrure configuration with Citrix Studio

Synthesis of the vulnerability

An attacker can make profit of insufficient access control rules as created by Studio of Citrix XenDesktop compared to the rules desired by the administrator.
Impacted products: XenDesktop.
Severity: 2/4.
Creation date: 01/06/2016.
Identifiers: CERTFR-2016-AVI-184, CTX213045, CVE-2016-4810, VIGILANCE-VUL-19756.

Description of the vulnerability

The Citrix XenDesktop product includes an application Studio for configuration editing.

However, this application may create insecure access rules. Technical details are unknown.

An attacker can therefore make profit of insufficient access control rules as created by Studio of Citrix XenDesktop compared to the rules desired by the administrator.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2015-7547

glibc: buffer overflow of getaddrinfo

Synthesis of the vulnerability

An attacker, who owns a malicious DNS server, can reply with long data to a client application using the getaddrinfo() function of the glibc, in order to trigger a denial of service, and possibly to run code in the client application.
Impacted products: ArubaOS, Blue Coat CAS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco Catalyst, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Cisco Prime DCNM, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco Wireless IP Phone, Cisco Wireless Controller, XenDesktop, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, ExtremeXOS, BIG-IP Hardware, TMOS, Fedora, QRadar SIEM, Trinzic, NSM Central Manager, NSMXpress, McAfee Email Gateway, McAfee MOVE AntiVirus, VirusScan, McAfee Web Gateway, openSUSE, openSUSE Leap, Palo Alto Firewall PA***, PAN-OS, RealPresence Distributed Media Application, Polycom VBP, RHEL, ROX, RuggedSwitch, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware vSphere, VMware vSphere Hypervisor, WindRiver Linux.
Severity: 4/4.
Creation date: 16/02/2016.
Revision date: 17/02/2016.
Identifiers: 046146, 046151, 046153, 046155, 046158, 1977665, 478832, 479427, 479906, 480572, 480707, 480708, ARUBA-PSA-2016-001, BSA-2016-003, BSA-2016-004, CERTFR-2016-AVI-066, CERTFR-2016-AVI-071, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cisco-sa-20160218-glibc, CTX206991, CVE-2015-7547, ESA-2016-020, ESA-2016-027, ESA-2016-028, ESA-2016-029, ESA-2016-030, FEDORA-2016-0480defc94, FEDORA-2016-0f9e9a34ce, JSA10774, KB #4858, openSUSE-SU-2016:0490-1, openSUSE-SU-2016:0510-1, openSUSE-SU-2016:0511-1, openSUSE-SU-2016:0512-1, PAN-SA-2016-0021, RHSA-2016:0175-01, RHSA-2016:0176-01, RHSA-2016:0225-01, SA114, SB10150, SOL47098834, SSA:2016-054-02, SSA-301706, SUSE-SU-2016:0470-1, SUSE-SU-2016:0471-1, SUSE-SU-2016:0472-1, SUSE-SU-2016:0473-1, USN-2900-1, VIGILANCE-VUL-18956, VMSA-2016-0002, VMSA-2016-0002.1, VN-2016-003.

Description of the vulnerability

The glibc library implements a DNS resolver (libresolv).

An application can thus call the getaddrinfo() function, which queries DNS servers. When the AF_UNSPEC type is used in the getaddrinfo() call, two DNS A and AAAA queries are sent simultaneously. However, this special case, and a case with AF_INET6 are not correctly managed, and lead to an overflow if the reply coming from the DNS server is larger than 2048 bytes.

An attacker, who owns a malicious DNS server, can therefore reply with large data to a client application using the getaddrinfo() function of the glibc, in order to trigger a denial of service, and possibly to run code in the client application.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2014-4700

Citrix XenDesktop: privilege escalation via Pooled Random Desktop Groups

Synthesis of the vulnerability

An attacker can use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Impacted products: XenDesktop.
Severity: 2/4.
Creation date: 10/07/2014.
Identifiers: CERTFR-2014-AVI-310, CTX139591, CVE-2014-4700, VIGILANCE-VUL-15031.

Description of the vulnerability

The Citrix XenDesktop product can be deployed in mode Pooled Random Desktop Groups, with ShutdownDesktopsAfterUse disabled.

However, in this configuration, an attacker can access to the desktop of another user.

An attacker can therefore use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2014-0160

OpenSSL: information disclosure via Heartbeat

Synthesis of the vulnerability

An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, MIMEsweeper, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, MBS, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.

Description of the vulnerability

The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.

Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).

An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2013-6077

Citrix XenDesktop: policy bypass after an upgrade

Synthesis of the vulnerability

When the Citrix XenDesktop product was upgraded from version 5.x to 7.0, an attacker can bypass the security policy previously defined by the administrator.
Impacted products: XenDesktop.
Severity: 2/4.
Creation date: 23/10/2013.
Identifiers: BID-63413, CERTA-2013-AVI-598, CTX138627, CVE-2013-6077, VIGILANCE-VUL-13633.

Description of the vulnerability

The Citrix XenDesktop product uses security policy rules, which have permissions.

However, after an upgrade from version 5.x to 7.0, permissions are not correctly updated.

When the Citrix XenDesktop product was upgraded from version 5.x to 7.0, an attacker can therefore bypass the security policy previously defined by the administrator.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2013-1432

Xen: denial of service via the paging management

Synthesis of the vulnerability

An attacker can raise a fatal exception in the page table management of Xen, in order to trigger a denial of service.
Impacted products: XenDesktop, XenServer, Debian, Fedora, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 27/06/2013.
Identifiers: BID-60799, CERTA-2013-AVI-394, CERTA-2013-AVI-496, CTX138134, CTX138633, CVE-2013-1432, DSA-3006-1, FEDORA-2013-11837, FEDORA-2013-11871, FEDORA-2013-11874, openSUSE-SU-2013:1392-1, openSUSE-SU-2013:1404-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-13010, XSA-58.

Description of the vulnerability

In a Xen based system, memory page frames are managed both by Xen and by the guest systems.

Xen frees pages frames when no guest system uses them anymore. However, when fixing the vulnerability described in VIGILANCE-VUL-12747, an error in the reference counter handling has been introduced. A malicious guest system can then make Xen prematurely free a page, which leads to an exception in Xen at the first access after free, and then to host system halt.

An attacker can therefore raise a fatal exception in the page table management of Xen, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2013-2194 CVE-2013-2195 CVE-2013-2196

Xen: privilege escalation via libelf

Synthesis of the vulnerability

An attacker, who is administrator in a PV/HVM kernel, can load a malicious kernel/firmware, to corrupt the memory of libelf of Xen, in order to escalate his privileges on the host system.
Impacted products: XenDesktop, XenServer, Debian, Fedora, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 05/06/2013.
Identifiers: BID-60701, BID-60702, BID-60703, CERTA-2013-AVI-380, CERTA-2013-AVI-496, CTX138058, CTX138633, CVE-2013-2194, CVE-2013-2195, CVE-2013-2196, DSA-3006-1, FEDORA-2013-10929, FEDORA-2013-10941, SUSE-SU-2013:1314-1, SUSE-SU-2014:0411-1, SUSE-SU-2014:0446-1, SUSE-SU-2014:0470-1, VIGILANCE-VUL-12914, XSA-55.

Description of the vulnerability

The Xen product uses libelf, in order to analyze ELF data of the kernel/firmware.

However, libelf is impacted by several integer overflows and memory corruptions. A detailed analysis was not performed for this bulletin.

An attacker, who is administrator in a PV/HVM kernel, can therefore load a malicious kernel/firmware, to corrupt the memory of libelf of Xen, in order to escalate his privileges on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2013-0231

Xen: denial of service via pciback

Synthesis of the vulnerability

An attacker, who is located in a guest system, can trigger numerous PCI errors, in order to overload the host system.
Impacted products: XenDesktop, XenServer, Debian, Fedora, Linux, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 05/02/2013.
Identifiers: BID-57740, CERTA-2013-AVI-098, CERTA-2013-AVI-158, CERTA-2013-AVI-259, CERTA-2013-AVI-412, CERTA-2013-AVI-496, CTX136540, CTX138633, CVE-2013-0231, DSA-2632-1, FEDORA-2013-2728, MDVSA-2013:194, openSUSE-SU-2013:0395-1, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, openSUSE-SU-2013:1619-1, RHSA-2013:0747-01, SUSE-SU-2013:0674-1, SUSE-SU-2013:0759-1, SUSE-SU-2013:0759-2, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12380, XSA-43.

Description of the vulnerability

The pciback_enable_msi() function of the drivers/xen/pciback/conf_space_capability_msi.c file is used to enable MSI (Message Signaled Interrupts) on PCI. It is called via the XEN_PCI_OP_enable_msi operation.

If MSI cannot be enabled, this function calls printk() to display a kernel error message. However, there is no limit on the number of times that this function can be called.

An attacker, who is located in a guest system, can therefore trigger numerous PCI errors, in order to overload the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2013-0216 CVE-2013-0217

Xen: denials of service via netback

Synthesis of the vulnerability

A local attacker, who is located in a Xen guest system, can trigger two denials of service via netback.
Impacted products: XenDesktop, XenServer, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Creation date: 05/02/2013.
Identifiers: BID-57743, BID-57744, CERTA-2013-AVI-098, CERTA-2013-AVI-158, CERTA-2013-AVI-259, CERTA-2013-AVI-375, CERTA-2013-AVI-496, CTX136540, CTX138633, CVE-2013-0216, CVE-2013-0217, MDVSA-2013:176, openSUSE-SU-2013:0395-1, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, RHSA-2013:0747-01, SUSE-SU-2013:0674-1, SUSE-SU-2013:0759-1, SUSE-SU-2013:0759-2, SUSE-SU-2013:0786-1, VIGILANCE-VUL-12379, XSA-39.

Description of the vulnerability

The netback driver of Xen is located in the kernel of Dom0, and it is connected to virtual network devices of DomU systems. It is impacted by two vulnerabilities.

An attacker can trigger a large loop. [severity:1/4; BID-57743, CVE-2013-0216]

An attacker can trigger a memory leak. [severity:1/4; BID-57744, CVE-2013-0217]

A local attacker, who is located in a Xen guest system, can therefore trigger two denials of service via netback.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.