Vulnerabilities > CVE-2017-5573 - Unspecified vulnerability in Citrix Xenserver

047910
CVSS 4.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
citrix
nessus

Summary

An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can cancel tasks of other administrators.

Vulnerable Configurations

Part Description Count
Application
Citrix
4

Nessus

NASL familyMisc.
NASL idCITRIX_XENSERVER_CTX220112.NASL
descriptionThe version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by the following vulnerabilities : - A man-in-the-middle (MitM) vulnerability exists in the NTP component due to an improperly implemented threshold limitation for the
last seen2020-06-01
modified2020-06-02
plugin id96928
published2017-02-01
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/96928
titleCitrix XenServer Multiple Vulnerabilities (CTX220112)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96928);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2015-5300",
    "CVE-2015-7704",
    "CVE-2015-7705",
    "CVE-2017-5572",
    "CVE-2017-5573"
  );
  script_bugtraq_id(
    77280,
    77284,
    77312,
    95796,
    95801
  );
  script_xref(name:"CERT", value:"718152");

  script_name(english:"Citrix XenServer Multiple Vulnerabilities (CTX220112)");
  script_summary(english:"Checks for patches.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Citrix XenServer running on the remote host is missing
a security hotfix. It is, therefore, affected by the following
vulnerabilities :

  - A man-in-the-middle (MitM) vulnerability exists in the
    NTP component due to an improperly implemented threshold
    limitation for the '-g' option. A man-in-the-middle
    attacker can exploit this to intercept NTP traffic and
    return arbitrary date and time values to users. This
    vulnerability is only applicable if NTP is enabled.
    (CVE-2015-5300)

  - A denial of service vulnerability exists in the NTP
    component due to improper validation of the origin
    timestamp field when handling a Kiss-of-Death (KoD)
    packet. An unauthenticated, remote attacker can exploit
    this to cause a client to stop querying its servers,
    preventing the client from updating its clock. This
    vulnerability is only applicable if NTP is enabled.
    (CVE-2015-7704)

  - A denial of service vulnerability exists in the NTP
    component due to improper implementation of
    rate-limiting when handling server queries. An
    unauthenticated, remote attacker can exploit this to
    stop the client from querying its servers, preventing it
    from updating its clock. This vulnerability is only
    applicable if NTP is enabled. (CVE-2015-7705)

  - An unspecified flaw exists that allows an authenticated,
    remote attacker with read-only administrator access to
    corrupt the host database. This vulnerability is only
    applicable if RBAC is enabled. (CVE-2017-5572)

  - An unspecified flaw exists that allows an authenticated,
    remote attacker with read-only administration access to
    cancel the tasks of other administrators. This
    vulnerability is only applicable if RBAC is enabled.
    (CVE-2017-5573)");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX220112");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate hotfix per the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7705");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/01");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("citrix_xenserver_version.nbin");
  script_require_keys("Host/XenServer/version", "Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "Citrix XenServer";
version = get_kb_item_or_exit("Host/XenServer/version");
get_kb_item_or_exit("Host/local_checks_enabled");
patches = get_kb_item("Host/XenServer/patches");
vuln = FALSE;
fix = '';

if (version == "6.0.2")
{
  fix = "XS602ECC036"; # CTX220078
  if (fix >!< patches) vuln = TRUE;
}
else if (version =~ "^6\.2\.0")
{
  fix = "XS62ESP1051 and XS62ESP1055"; # CTX220079 and CTX220242
  if (("XS62ESP1051" >!< patches) || ("XS62ESP1055" >!< patches)) vuln = TRUE;
}
else if (version =~ "^6\.5\.0")
{
  fix = "XS65ESP1040 and XS65ESP1047"; # CTX220080 and CTX220243
  if (("XS65ESP1040" >!< patches) || ("XS65ESP1047" >!< patches)) vuln = TRUE;
}
else if (version =~ "^7\.0")
{
  fix = "XS70E018"; # CTX220081 and CTX220244
  if (("XS70E018" >!< patches) || ("XS70E025" >!< patches)) vuln = TRUE;
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

if (vuln)
{
  port = 0;
  report = report_items_str(
    report_items:make_array(
      "Installed version", version,
      "Missing hotfix", fix
    ),
    ordered_fields:make_list("Installed version", "Missing hotfix")
  );
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_PATCH_INSTALLED, fix);