[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Context IS Advisory - Citrix XenServer Hypervisor Privilege Escalation
From: Context IS - Disclosure <disclosure () contextis ! co ! uk>
Date: 2012-10-30 9:13:21
Message-ID: A9CB1DCB1273F741BA6EAF9728AA03291C796393B0 () kestrel ! london ! contextis ! co ! uk
[Download RAW message or body]
==============================ADVISORY===============================
Systems Affected: Citrix XenServer 5.0 through 6.0.2
Severity: High
Category: Privilege Escalation
Author: Context Information Security
Reported to vendor: 24th May 2012
Advisory Issued: 30th October 2012
Reference: CVE-2012-4606
==============================ADVISORY===============================
Description
-----------
The XenServer remote VNC terminal emulator contains a vulnerability which would allow a user of \
a guest VM to get code executing in the hypervisor leading to elevation of privilege on the \
server on which the guest VM was being hosted.
Analysis
--------
Citrix XenServer is distributed with a VT100 terminal emulator which is exposed via the VNC \
protocol to allow a remote user to administer their hosted para-virtualised machine. The \
application does not correctly handle certain escape sequences which can lead to an \
unprivileged guest VM being able to gain code execution in the fully privileged Dom0 allowing \
the entire hosting server to be controlled.
It should be noted that the vulnerable code was also used in the QEMU-KVM terminal that can be \
used by emulated virtual machines; this is under a different CVE, CVE-2012-3515.
Technologies Affected
---------------------
Citrix XenServer 6.0
Citrix XenServer 5.6
Citrix XenServer 5.5
Citrix XenServer 5.0
Vendor Response
------------------
Vendor issued a security hot fix of the 5th September 2012. See \
http://support.citrix.com/article/CTX134708 for support information and download locations for \
different versions of XenServer.
Disclosure Timeline
-------------------
24th May 2012 – Vendor notified
5th September 2012 – Vendor issues fix
Credits
-------
James Forshaw of Context Information Security
About Context Information Security
----------------------------------
Context Information Security is an independent security consultancy specialising in both \
technical security and information assurance services.
The company was founded in 1998. Its client base has grown steadily over the years, thanks in \
large part to personal recommendations from existing clients who value us as business partners. \
We believe our success is based on the value our clients place on our product-agnostic, \
holistic approach; the way we work closely with them to develop a tailored service; and to the \
independence, integrity and technical skills of our consultants.
The company’s client base now includes some of the most prestigious blue chip companies in the \
world, as well as government organisations.
The best security experts need to bring a broad portfolio of skills to the job, so Context has \
always sought to recruit staff with extensive business experience as well as technical \
expertise. Our aim is to provide effective and practical solutions, advice and support: when we \
report back to clients we always communicate our findings and recommendations in plain terms at \
a business level as well as in the form of an in-depth technical report.
Web: www.contextis.com
Email: disclosure@contextis.co.uk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic