[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Context IS Advisory - Citrix XenServer Hypervisor Privilege Escalation
From:       Context IS - Disclosure <disclosure () contextis ! co ! uk>
Date:       2012-10-30 9:13:21
Message-ID: A9CB1DCB1273F741BA6EAF9728AA03291C796393B0 () kestrel ! london ! contextis ! co ! uk
[Download RAW message or body]

==============================ADVISORY===============================
Systems Affected:      Citrix XenServer 5.0 through 6.0.2
Severity:                    High
Category:                  Privilege Escalation
Author:                     Context Information Security
Reported to vendor:  24th May 2012
Advisory Issued:       30th October 2012
Reference:                CVE-2012-4606
==============================ADVISORY===============================
 
Description
-----------
The XenServer remote VNC terminal emulator contains a vulnerability which would allow a user of \
a guest VM to get code executing in the hypervisor leading to elevation of privilege on the \
server on which the guest VM was being hosted.   
Analysis
--------
Citrix XenServer is distributed with a VT100 terminal emulator which is exposed via the VNC \
protocol to allow a remote user to administer their hosted para-virtualised machine.  The \
application does not correctly handle certain escape sequences which can lead to an \
unprivileged guest VM being able to gain code execution in the fully privileged Dom0 allowing \
the entire hosting server to be controlled.   
It should be noted that the vulnerable code was also used in the QEMU-KVM terminal that can be \
used by emulated virtual machines; this is under a different CVE, CVE-2012-3515.  
Technologies Affected
---------------------
Citrix XenServer 6.0
Citrix XenServer 5.6
Citrix XenServer 5.5
Citrix XenServer 5.0
 
Vendor Response
------------------
Vendor issued a security hot fix of the 5th September 2012. See \
http://support.citrix.com/article/CTX134708 for support information and download locations for \
different versions of XenServer.   
Disclosure Timeline
-------------------
24th May 2012 – Vendor notified
5th September 2012 – Vendor issues fix
 
Credits
-------
James Forshaw of Context Information Security
 
 
About Context Information Security
----------------------------------
 
Context Information Security is an independent security consultancy specialising in both \
technical security and information assurance services.  
The company was founded in 1998. Its client base has grown steadily over the years, thanks in \
large part to personal recommendations from existing clients who value us as business partners. \
We believe our success is based on the value our clients place on our product-agnostic, \
holistic approach; the way we work closely with them to develop a tailored service; and to the \
independence, integrity and technical skills of our consultants.  
The company’s client base now includes some of the most prestigious blue chip companies in the \
world, as well as government organisations.   
The best security experts need to bring a broad portfolio of skills to the job, so Context has \
always sought to recruit staff with extensive business experience as well as technical \
expertise. Our aim is to provide effective and practical solutions, advice and support: when we \
report back to clients we always communicate our findings and recommendations in plain terms at \
a business level as well as in the form of an in-depth technical report.  
Web:        www.contextis.com
Email:      disclosure@contextis.co.uk
 
 
 
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]