// For flags

CVE-2016-9637

Xen: qemu ioport out-of-bounds array access (XSA-199)

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

Las funciones (1) ioport_read y (2) ioport_write en Xen, cuando qemu es utilizado como un modelo de dispositivo dentro de Xen, podría permitir a administradores locales del SO invitado x86 HVM obtener privilegios del proceso qemu a través de vectores que involucran un acceso ioport fuera de rango.

An out of bounds array access issue was found in the Xen virtual machine monitor, built with the QEMU ioport support. It could occur while doing ioport read/write operations, if guest was to supply a 32bit address parameter. A privileged guest user/process could use this flaw to potentially escalate their privileges on a host.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Adjacent
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-23 CVE Reserved
  • 2016-12-20 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.0.2
Search vendor "Citrix" for product "Xenserver" and version "6.0.2"
-
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.2.0
Search vendor "Citrix" for product "Xenserver" and version "6.2.0"
sp1
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
6.5
Search vendor "Citrix" for product "Xenserver" and version "6.5"
sp1
Affected
Citrix
Search vendor "Citrix"
Xenserver
Search vendor "Citrix" for product "Xenserver"
7.0
Search vendor "Citrix" for product "Xenserver" and version "7.0"
-
Affected