Citrix Xenserver vulnerabilities

CVE-2016-9379 [HIGH] CWE-20 CVE-2016-9379: The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local p The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file.

CVE-2016-9386 [HIGH] CWE-264 CVE-2016-9386: The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values.

CVE-2016-9383 [HIGH] CWE-20 CVE-2016-9383: Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions.

CVE-2016-9380 [HIGH] CWE-20 CVE-2016-9380: The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file.

CVE-2016-9381 [HIGH] CWE-362 CVE-2016-9381: Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by cha Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.

CVE-2016-9385 [MEDIUM] CWE-20 CVE-2016-9385: The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV gu The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.

CVE-2016-6258 [HIGH] CWE-284 CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS admi The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.

CVE-2016-6259 [MEDIUM] CWE-20 CVE-2016-6259: Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32 Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check.

CVE-2016-5302 [CRITICAL] CWE-284 CVE-2016-5302: Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment has been upgraded from an earlier rel Citrix XenServer 7.0 before Hotfix XS70E003, when a deployment has been upgraded from an earlier release, might allow remote attackers on the management network to "compromise" a host by leveraging credentials for an Active Directory account.

CVE-2016-3710 [HIGH] CWE-119 CVE-2016-3710: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which a The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.

CVE-2016-3712 [MEDIUM] CWE-190 CVE-2016-3712: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.

CVE-2015-8555 [HIGH] CWE-200 CVE-2015-8555: Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when X Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVE-2016-1571 [MEDIUM] CWE-17 CVE-2016-1571: The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

CVE-2015-4106 [MEDIUM] CWE-863 CVE-2015-4106: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through de QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

CVE-2014-4947 [CRITICAL] CWE-119 CVE-2014-4947: Buffer overflow in the HVM graphics console support in Citrix XenServer 6.2 Service Pack 1 and earli Buffer overflow in the HVM graphics console support in Citrix XenServer 6.2 Service Pack 1 and earlier has unspecified impact and attack vectors.

CVE-2014-4948 [MEDIUM] CVE-2014-4948: Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cau Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cause a denial of service and obtain sensitive information by modifying the guest virtual hard disk (VHD).

CVE-2012-5512 [LOW] CWE-16 CVE-2012-5512: Array index error in the HVMOP_set_mem_access handler in Xen 4.1 allows local HVM guest OS administr Array index error in the HVMOP_set_mem_access handler in Xen 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) or obtain sensitive information via unspecified vectors.

CVE-2012-3516 [MEDIUM] CWE-264 CVE-2012-3516: The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServ The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest kernels or administrators to cause a denial of service (host crash) and possibly gain privileges via a crafted grant reference that triggers a write to an arbitrary hypervisor memory location.

CVE-2012-3498 [MEDIUM] CWE-20 CVE-2012-3498: PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial of service (host crash) and possibly read hypervisor or guest memory via vectors related to a missing range check of map->index.

CVE-2012-3496 [MEDIUM] CWE-16 CVE-2012-3496: XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when trans XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand.