Description of Problem
Several security issues have been identified within Citrix XenServer. These issues could, if exploited, allow an authenticated administrator to perform a denial-of-service attack against the host, even when that administrator has a less-privileged RBAC role (e.g. read-only). In addition, the issues could permit an attacker with the ability to influence NTP traffic on the management network to disrupt time synchronization on the host until the next reboot.
The following vulnerabilities have been addressed:
- CVE-2017-5572 (Low): Authenticated read-only administrator can corrupt host database
- CVE-2017-5573 (Low): Authenticated read-only administrator can cancel tasks of other administrators
- CVE-2015-5300, CVE-2015-7704, CVE-2015-7705 (Low): NTP updates
Mitigating Factors
Customers who have not enabled NTP are unaffected by the NTP issues.
Customers who have not enabled RBAC are unaffected by the RBAC issues.
Customers using Citrix XenServer 6.0.2 in the Common Criteria configuration are unaffected by the RBAC issues.
What Customers Should Do
Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes, which can be downloaded from the following locations:
Citrix XenServer 7.0: CTX220081 – https://support.citrix.com/article/CTX220081 and CTX220244 – https://support.citrix.com/article/CTX220244
Citrix XenServer 6.5 SP1: CTX220080 – https://support.citrix.com/article/CTX220080 and CTX220243 – https://support.citrix.com/article/CTX220243
Citrix XenServer 6.2 SP1: CTX220079 – https://support.citrix.com/article/CTX220079 and CTX220242 – https://support.citrix.com/article/CTX220242
Citrix XenServer 6.0.2 Common Criteria: CTX220078 – https://support.citrix.com/article/CTX220078
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
25th January 2017 | Initial publishing |