The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of XenServer

vulnerability announce CVE-2016-7154

Xen: use after free via FIFO

Synthesis of the vulnerability

An attacker, inside a guest system, can force the usage of a freed memory area via FIFO of Xen, in order to trigger a denial of service, and possibly to run code on the host system.
Impacted products: XenServer, Debian, openSUSE, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server, denial of service on service.
Provenance: privileged shell.
Creation date: 08/09/2016.
Identifiers: CERTFR-2016-AVI-301, CERTFR-2016-AVI-303, CTX216071, CVE-2016-7154, DSA-3663-1, openSUSE-SU-2016:2497-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2533-1, VIGILANCE-VUL-20552, XSA-188.

Description of the vulnerability

An attacker, inside a guest system, can force the usage of a freed memory area via FIFO of Xen, in order to trigger a denial of service, and possibly to run code on the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-7094

Xen: denial of service via HVM sh_ctxt->seg_reg

Synthesis of the vulnerability

An attacker, who is privileged in a guest system, can generate a fatal error via HVM sh_ctxt->seg_reg of Xen, in order to trigger a denial of service on the host system.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: privileged shell.
Creation date: 08/09/2016.
Identifiers: CERTFR-2016-AVI-301, CERTFR-2016-AVI-303, CTX216071, CVE-2016-7094, DLA-614-1, DSA-3663-1, FEDORA-2016-1c3374bcb9, FEDORA-2016-7d2c67d1f5, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, SUSE-SU-2016:2473-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2528-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2725-1, VIGILANCE-VUL-20551, XSA-187.

Description of the vulnerability

An attacker, who is privileged in a guest system, can generate a fatal error via HVM sh_ctxt->seg_reg of Xen, in order to trigger a denial of service on the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-7093

Xen: privilege escalation via Instruction Pointer Truncation

Synthesis of the vulnerability

An attacker, who is privileged in a guest system, can bypass restrictions via Instruction Pointer Truncation of Xen, in order to escalate his privileges on the host system.
Impacted products: XenServer, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: privileged shell.
Creation date: 08/09/2016.
Identifiers: CERTFR-2016-AVI-301, CERTFR-2016-AVI-303, CTX216071, CVE-2016-7093, FEDORA-2016-1c3374bcb9, FEDORA-2016-7d2c67d1f5, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, SUSE-SU-2016:2473-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2533-1, VIGILANCE-VUL-20550, XSA-186.

Description of the vulnerability

An attacker, who is privileged in a guest system, can bypass restrictions via Instruction Pointer Truncation of Xen, in order to escalate his privileges on the host system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-7092

Xen: privilege escalation via L3 Recursive Pagetable

Synthesis of the vulnerability

An attacker, who is privileged in a guest system, can bypass restrictions via L3 Recursive Pagetable of Xen, in order to escalate his privileges on the host system.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: privileged shell.
Creation date: 08/09/2016.
Identifiers: CERTFR-2016-AVI-301, CERTFR-2016-AVI-303, CTX216071, CVE-2016-7092, DLA-614-1, DSA-3663-1, FEDORA-2016-1c3374bcb9, FEDORA-2016-7d2c67d1f5, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, SUSE-SU-2016:2473-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2528-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2725-1, VIGILANCE-VUL-20549, XSA-185.

Description of the vulnerability

An attacker, who is privileged in a guest system, can bypass restrictions via L3 Recursive Pagetable of Xen, in order to escalate his privileges on the host system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-6259

Xen: denial of service via Intel SMAP

Synthesis of the vulnerability

An attacker, who is in a guest system on a Intel processor with SMAP can trigger a denial of service on the Xen host system.
Impacted products: XenServer, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 26/07/2016.
Identifiers: CTX214954, CVE-2016-6259, FEDORA-2016-0049aa6e5d, FEDORA-2016-01cc766201, openSUSE-SU-2016:2494-1, SUSE-SU-2016:2093-1, SUSE-SU-2016:2473-1, VIGILANCE-VUL-20225, XSA-183.

Description of the vulnerability

The Xen product can be installed on an Intel processor (Broadwell or later) supporting SMAP (Supervisor Mode Access Prevention).

However, the compat_create_bounce_frame() function does not whistelist its userspace accesses, which generates a fatal error.

An attacker, who is in a guest system on a Intel processor with SMAP can therefore trigger a denial of service on the Xen host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-6258

Xen: privilege escalation via PV Pagetable

Synthesis of the vulnerability

An attacker, who is privileged in a PV guest system, can manipulate Pagetable entries of Xen, in order to escalate his privileges on the host system.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: privileged shell.
Creation date: 26/07/2016.
Identifiers: CERTFR-2016-AVI-252, CTX214954, CVE-2016-6258, DLA-571-1, DSA-3633-1, FEDORA-2016-0049aa6e5d, FEDORA-2016-01cc766201, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, SUSE-SU-2016:2093-1, SUSE-SU-2016:2100-1, SUSE-SU-2016:2473-1, SUSE-SU-2016:2507-1, SUSE-SU-2016:2528-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2725-1, VIGILANCE-VUL-20224, XSA-182.

Description of the vulnerability

The Xen product offers ParaVirtualized guest systems.

However, reused PV Pagetable entries are not re-validated.

An attacker, who is privileged in a PV guest system, can therefore manipulate Pagetable entries of Xen, in order to escalate his privileges on the host system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-5302

Citrix XenServer 7: privilege escalation via Active Directory

Synthesis of the vulnerability

An attacker with an account on the Active Directory can log in Citrix XenServer 7, in order to compromise the system.
Impacted products: XenServer.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 10/06/2016.
Identifiers: CERTFR-2016-AVI-197, CTX213549, CVE-2016-5302, VIGILANCE-VUL-19859.

Description of the vulnerability

The Citrix XenServer 7 product can be installed with the Active Directory authentication still enabled.

However, after this installation, every AD user can authenticate on XenServer.

An attacker with an account on the Active Directory can therefore log in Citrix XenServer 7, in order to compromise the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-3710 CVE-2016-3712

QEMU: two vulnerabilities of VGA

Synthesis of the vulnerability

An attacker can use several vulnerabilities of VGA of QEMU.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Xen.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/05/2016.
Identifiers: CERTFR-2016-AVI-158, CTX212736, CVE-2016-3710, CVE-2016-3712, DLA-539-1, DLA-540-1, DLA-571-1, DSA-3573-1, FEDORA-2016-a3298e39f7, FEDORA-2016-f1c21e3c3c, FEDORA-2016-f2b1f07256, openSUSE-SU-2016:1750-1, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, RHSA-2016:0724-01, RHSA-2016:0997-01, RHSA-2016:1943-01, RHSA-2016:2585-02, RHSA-2017:0621-01, SUSE-SU-2016:1560-1, SUSE-SU-2016:1698-1, SUSE-SU-2016:1703-1, SUSE-SU-2016:1785-1, SUSE-SU-2016:2093-1, SUSE-SU-2016:2100-1, SUSE-SU-2016:2528-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2725-1, USN-2974-1, VIGILANCE-VUL-19555, XSA-179.

Description of the vulnerability

Several vulnerabilities were announced in QEMU.

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-3710]

An attacker can force a read at an invalid address, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-3712]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, PowerPath, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP, NETASQ, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, X2GoClient.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, CERTFR-2018-AVI-160, cisco-sa-20160504-openssl, cpuapr2017, cpujan2018, cpujul2016, cpujul2017, cpujul2018, cpuoct2016, cpuoct2017, cpuoct2018, CTX212736, CTX233832, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, SUSE-SU-2018:0112-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-7704 CVE-2015-8138 CVE-2016-1547

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: SNS, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco Unity ~ precise, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, AIX, Juniper EX-Series, Juniper J-Series, Junos OS, Junos Space, SRX-Series, McAfee Web Gateway, Meinberg NTP Server, NTP.org, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 27/04/2016.
Identifiers: bulletinapr2016, bulletinapr2019, c05270839, CERTFR-2016-AVI-153, CERTFR-2017-AVI-365, CERTFR-2018-AVI-545, cisco-sa-20160428-ntpd, cpujan2018, CTX220112, CVE-2015-7704, CVE-2015-8138, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, DLA-559-1, DSA-3629-1, FEDORA-2016-5b2eb0bf9c, FEDORA-2016-777d838c1b, FEDORA-2018-70c191d84a, FEDORA-2018-de113aeac6, FreeBSD-SA-16:16.ntp, HPESBHF03750, HPSBHF03646, JSA10776, JSA10796, JSA10824, JSA10826, JSA10898, K11251130, K20804323, K24613253, K43205719, K63675293, MBGSA-1602, openSUSE-SU-2016:1292-1, openSUSE-SU-2016:1329-1, openSUSE-SU-2016:1423-1, openSUSE-SU-2018:0970-1, PAN-SA-2016-0019, RHSA-2016:1141-01, RHSA-2016:1552-01, SB10164, SOL11251130, SOL20804323, SOL24613253, SOL41613034, SOL43205719, SOL45427159, SOL61200338, SOL63675293, SSA:2016-120-01, STORM-2016-003, STORM-2016-004, SUSE-SU-2016:1175-1, SUSE-SU-2016:1177-1, SUSE-SU-2016:1247-1, SUSE-SU-2016:1278-1, SUSE-SU-2016:1291-1, SUSE-SU-2016:1311-1, SUSE-SU-2016:1471-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, SUSE-SU-2018:1464-1, SUSE-SU-2018:1765-1, Synology-SA-18:13, Synology-SA-18:14, TALOS-2016-0081, TALOS-2016-0082, TALOS-2016-0083, TALOS-2016-0084, TALOS-2016-0132, USN-3096-1, USN-3349-1, VIGILANCE-VUL-19477, VU#718152.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

The ntpd daemon can on certain systems accept packets from 127.0.0.0/8. [severity:1/4; CVE-2016-1551, TALOS-2016-0132]

An attacker can use a Sybil attack, in order to alter the system clock. [severity:2/4; CVE-2016-1549, TALOS-2016-0083]

An attacker can force an assertion error with duplicate IP, in order to trigger a denial of service. [severity:2/4; CVE-2016-2516]

An attacker can trigger an error in the management of trustedkey/requestkey/controlkey, in order to trigger a denial of service. [severity:2/4; CVE-2016-2517]

An attacker can force a read at an invalid address in MATCH_ASSOC, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-2518]

An attacker can trigger a fatal error in ctl_getitem(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2519]

An attacker can send a malicious CRYPTO-NAK packet, in order to trigger a denial of service. [severity:2/4; CVE-2016-1547, TALOS-2016-0081]

An attacker can use Interleave-pivot, in order to alter a client time. [severity:2/4; CVE-2016-1548, TALOS-2016-0082]

An attacker can trigger a fatal error in the ntp client, in order to trigger a denial of service. [severity:2/4; CVE-2015-7704]

The Zero Origin Timestamp value is not correctly checked. [severity:2/4; CVE-2015-8138]

An attacker can measure the comparison execution time, in order to guess a hash. [severity:2/4; CVE-2016-1550, TALOS-2016-0084]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about XenServer: