Vulmon
Description of Problem
A number of security vulnerabilities have been identified in Citrix Provisioning Services components that, if exploited, could potentially allow an attacker to execute arbitrary, privileged, code on the Provisioning Services target devices. Some of these issues could be exploited by an attacker with network access to the Provisioning Services target devices.
These vulnerabilities have been assigned the following CVE numbers:
- CVE-2016-9676: Buffer overwrite vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.
- CVE-2016-9678: “Use after free” vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.
- CVE-2016-9679: Function pointer overwrite vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.
- CVE-2016-9680: Vulnerability in Citrix Provisioning Services before version 7.12 could result in disclosure of kernel memory.
- CVE-2016-9677: Kernel address information leakage vulnerability in Citrix Provisioning Services before version 7.12.
These vulnerabilities affect the target device component released as part of Citrix Provisioning Services up to and including version 7.11.
Mitigating Factors
In typical deployments, Citrix Provisioning Services target devices are not routable from the Internet.
What Customers Should Do
These vulnerabilities have been addressed in Citrix Provisioning Services version 7.12 and later. Citrix strongly recommends that customers upgrade to this version immediately.
This new version can be found at the following location:
https://www.citrix.com/downloads/provisioning-services.html
Customers using the Provisioning Services LTSR, version 7.6, should apply a cumulative update to address these vulnerabilities. This update, 7.6.4, can be found at the following location:
Acknowledgements
Citrix thanks Fabien Perigaud of Airbus Defence and Space CyberSecurity (https://www.cybersecurity-airbusds.com/) for working with us to protect Citrix customers
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 17th January 2017 | Initial publishing |