Citrix Xenserver vulnerabilities

CVE-2018-19962 [HIGH] CWE-200 CVE-2018-19962: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.

CVE-2018-19965 [MEDIUM] CVE-2018-19965: An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.

CVE-2018-14007 [CRITICAL] CWE-22 CVE-2018-14007: Citrix XenServer 7.1 and newer allows Directory Traversal. Citrix XenServer 7.1 and newer allows Directory Traversal.

CVE-2016-9603 [CRITICAL] CWE-122 CVE-2016-9603: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver s A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute a

CVE-2017-2620 [CRITICAL] CWE-787 CVE-2017-2620: Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of th

CVE-2017-2615 [CRITICAL] CWE-787 CVE-2017-2615: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-o Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privi

CVE-2018-3665 [MEDIUM] CWE-200 CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based micropro System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.

CVE-2018-8897 [HIGH] CWE-362 CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Develop A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS

CVE-2017-12134 [HIGH] CWE-682 CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest u The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.

CVE-2017-12137 [HIGH] CWE-120 CVE-2017-12137: arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related t arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref.

CVE-2017-12135 [HIGH] CWE-682 CVE-2017-12135: Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive in Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants.

CVE-2017-12136 [HIGH] CWE-362 CVE-2017-12136: Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrato Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling.

CVE-2015-7705 [CRITICAL] CWE-20 CVE-2015-7705: The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to have unspecified impact via a large number of crafted requests.

CVE-2015-7704 [HIGH] CWE-20 CVE-2015-7704: The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages.

CVE-2016-9637 [HIGH] CWE-264 CVE-2016-9637: The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model withi The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

CVE-2017-5573 [MEDIUM] CVE-2017-5573: An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated r An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can cancel tasks of other administrators.

CVE-2017-5572 [MEDIUM] CWE-269 CVE-2017-5572: An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated r An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can corrupt the host database.

CVE-2016-10024 [MEDIUM] CWE-20 CVE-2016-10024: Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (h Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.

CVE-2016-10025 [MEDIUM] CWE-476 CVE-2016-10025: VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.

CVE-2016-9382 [HIGH] CWE-264 CVE-2016-9382: Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode.