CVE-2016-9637

Xen: qemu ioport out-of-bounds array access (XSA-199)

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

Las funciones (1) ioport_read y (2) ioport_write en Xen, cuando qemu es utilizado como un modelo de dispositivo dentro de Xen, podría permitir a administradores locales del SO invitado x86 HVM obtener privilegios del proceso qemu a través de vectores que involucran un acceso ioport fuera de rango.

An out of bounds array access issue was found in the Xen virtual machine monitor, built with the QEMU ioport support. It could occur while doing ioport read/write operations, if guest was to supply a 32bit address parameter. A privileged guest user/process could use this flaw to potentially escalate their privileges on a host.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Adjacent

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-11-23 CVE Reserved
2016-12-20 CVE Published
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read
CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (9)

URL	Tag	Source
http://www.securityfocus.com/bid/94699	Vdb Entry
http://www.securitytracker.com/id/1037397	Vdb Entry
http://xenbits.xen.org/xsa/advisory-199.html	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html	Mailing List
https://support.citrix.com/article/CTX219136	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2016-2963.html	2018-02-08
https://security.gentoo.org/glsa/201612-56	2018-02-08
https://access.redhat.com/security/cve/CVE-2016-9637	2016-12-20
https://bugzilla.redhat.com/show_bug.cgi?id=1397043	2016-12-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.0.2 Search vendor "Citrix" for product "Xenserver" and version "6.0.2"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.2.0 Search vendor "Citrix" for product "Xenserver" and version "6.2.0"		sp1		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.5 Search vendor "Citrix" for product "Xenserver" and version "6.5"		sp1		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.0 Search vendor "Citrix" for product "Xenserver" and version "7.0"		-		Affected