Citrix XenServer Multiple Vulnerabilities (CTX214954) (Bunker Buster)

high Nessus Plugin ID 92723

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities :

- A privilege escalation vulnerability known as 'Bunker Buster' exists in the paravirtualization (PV) pagetable implementation due to incorrect usage of fast-paths for making updates to pre-existing pagetable entries. An attacker with administrative privileges on a PV guest can exploit this vulnerability to gain administrative privileges on the host operating system. This vulnerability only affects PV guests on x86 hardware;
HVM and ARM guests are not affected. (CVE-2016-6258)

- A denial of service vulnerability exists when handling 32-bit exceptions and event delivery due to missing SMAP whitelisting. A local guest attacker can exploit this to trigger a safety check that will crash other virtual machines on the host system. This vulnerability only exists on 32-bit PV guests running on x86 hardware that supports SMAP. (CVE-2016-6259)

Solution

Apply the appropriate hotfix as referenced in the vendor advisory.

See Also

https://support.citrix.com/article/CTX214954

http://www.nessus.org/u?9e5f1cb7

http://www.nessus.org/u?83872af7

Plugin Details

Severity: High

ID: 92723

File Name: citrix_xenserver_CTX214954.nasl

Version: 1.9

Type: local

Family: Misc.

Published: 8/4/2016

Updated: 7/10/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-6258

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:citrix:xenserver

Required KB Items: Host/XenServer/version, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 7/26/2016

Vulnerability Publication Date: 7/26/2016

Reference Information

CVE: CVE-2016-6258, CVE-2016-6259

BID: 92130, 92131

IAVB: 2016-B-0118-S