Vulnerabilities > CVE-2017-5572 - Improper Privilege Management vulnerability in Citrix Xenserver

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
citrix
CWE-269
nessus
NVD
Published: 2017-01-30
Updated: 2019-10-03

Summary

An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can corrupt the host database.

Vulnerable Configurations

Part Description Count
Application
Citrix
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

NASL familyMisc.
NASL idCITRIX_XENSERVER_CTX220112.NASL
descriptionThe version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by the following vulnerabilities : - A man-in-the-middle (MitM) vulnerability exists in the NTP component due to an improperly implemented threshold limitation for the
last seen2020-06-01
modified2020-06-02
plugin id96928
published2017-02-01
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/96928
titleCitrix XenServer Multiple Vulnerabilities (CTX220112)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96928);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2015-5300",
    "CVE-2015-7704",
    "CVE-2015-7705",
    "CVE-2017-5572",
    "CVE-2017-5573"
  );
  script_bugtraq_id(
    77280,
    77284,
    77312,
    95796,
    95801
  );
  script_xref(name:"CERT", value:"718152");

  script_name(english:"Citrix XenServer Multiple Vulnerabilities (CTX220112)");
  script_summary(english:"Checks for patches.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Citrix XenServer running on the remote host is missing
a security hotfix. It is, therefore, affected by the following
vulnerabilities :

  - A man-in-the-middle (MitM) vulnerability exists in the
    NTP component due to an improperly implemented threshold
    limitation for the '-g' option. A man-in-the-middle
    attacker can exploit this to intercept NTP traffic and
    return arbitrary date and time values to users. This
    vulnerability is only applicable if NTP is enabled.
    (CVE-2015-5300)

  - A denial of service vulnerability exists in the NTP
    component due to improper validation of the origin
    timestamp field when handling a Kiss-of-Death (KoD)
    packet. An unauthenticated, remote attacker can exploit
    this to cause a client to stop querying its servers,
    preventing the client from updating its clock. This
    vulnerability is only applicable if NTP is enabled.
    (CVE-2015-7704)

  - A denial of service vulnerability exists in the NTP
    component due to improper implementation of
    rate-limiting when handling server queries. An
    unauthenticated, remote attacker can exploit this to
    stop the client from querying its servers, preventing it
    from updating its clock. This vulnerability is only
    applicable if NTP is enabled. (CVE-2015-7705)

  - An unspecified flaw exists that allows an authenticated,
    remote attacker with read-only administrator access to
    corrupt the host database. This vulnerability is only
    applicable if RBAC is enabled. (CVE-2017-5572)

  - An unspecified flaw exists that allows an authenticated,
    remote attacker with read-only administration access to
    cancel the tasks of other administrators. This
    vulnerability is only applicable if RBAC is enabled.
    (CVE-2017-5573)");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX220112");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate hotfix per the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7705");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/01");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("citrix_xenserver_version.nbin");
  script_require_keys("Host/XenServer/version", "Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "Citrix XenServer";
version = get_kb_item_or_exit("Host/XenServer/version");
get_kb_item_or_exit("Host/local_checks_enabled");
patches = get_kb_item("Host/XenServer/patches");
vuln = FALSE;
fix = '';

if (version == "6.0.2")
{
  fix = "XS602ECC036"; # CTX220078
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^6\.2\.0")
{
  fix = "XS62ESP1051 and XS62ESP1055"; # CTX220079 and CTX220242
  if (("XS62ESP1051" >!< patches) || ("XS62ESP1055" >!< patches)) vuln = TRUE;
}
else if (version =~ "^6\.5\.0")
{
  fix = "XS65ESP1040 and XS65ESP1047"; # CTX220080 and CTX220243
  if (("XS65ESP1040" >!< patches) || ("XS65ESP1047" >!< patches)) vuln = TRUE;
}
else if (version =~ "^7\.0")
{
  fix = "XS70E018"; # CTX220081 and CTX220244
  if (("XS70E018" >!< patches) || ("XS70E025" >!< patches)) vuln = TRUE;
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

if (vuln)
{
  port = 0;
  report = report_items_str(
    report_items:make_array(
      "Installed version", version,
      "Missing hotfix", fix
    ),
    ordered_fields:make_list("Installed version", "Missing hotfix")
  );
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_PATCH_INSTALLED, fix);

References