CVE-2016-9637 - OpenCVE

The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:H/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Citrix	Xenserver
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:citrix:xenserver:6.0.2:::::::*
	cpe:2.3:a:citrix:xenserver:6.2.0:sp1::::::
	cpe:2.3:a:citrix:xenserver:6.5:sp1::::::
	cpe:2.3:a:citrix:xenserver:7.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
xen-0:3.0.3-148.el5_11	cpe:/o:redhat:enterprise_linux:5	RHSA-2016:2963	2016-12-20T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2016-2963.html
http://www.securityfocus.com/bid/94699
http://www.securitytracker.com/id/1037397
http://xenbits.xen.org/xsa/advisory-199.html
https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html
https://nvd.nist.gov/vuln/detail/CVE-2016-9637
https://security.gentoo.org/glsa/201612-56
https://support.citrix.com/article/CTX219136
https://www.cve.org/CVERecord?id=CVE-2016-9637

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-02-16T18:00:00

Updated: 2024-08-06T02:59:03.139Z

Reserved: 2016-11-23T00:00:00

Link: CVE-2016-9637

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-02-17T02:59:13.967

Modified: 2018-02-08T02:29:00.583

Link: CVE-2016-9637

Redhat

Severity : Important

Publid Date: 2016-12-06T00:00:00Z

Links: CVE-2016-9637 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-12-06T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-07T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "94699", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94699"}, {"name": "GLSA-201612-56", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201612-56"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.citrix.com/article/CTX219136"}, {"name": "[debian-lts-announce] 20180206 [SECURITY] [DLA 1270-1] xen security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://xenbits.xen.org/xsa/advisory-199.html"}, {"name": "1037397", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037397"}, {"name": "RHSA-2016:2963", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2963.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9637", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "94699", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94699"}, {"name": "GLSA-201612-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201612-56"}, {"name": "https://support.citrix.com/article/CTX219136", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX219136"}, {"name": "[debian-lts-announce] 20180206 [SECURITY] [DLA 1270-1] xen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html"}, {"name": "http://xenbits.xen.org/xsa/advisory-199.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-199.html"}, {"name": "1037397", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037397"}, {"name": "RHSA-2016:2963", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2963.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:59:03.139Z"}, "title": "CVE Program Container", "references": [{"name": "94699", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94699"}, {"name": "GLSA-201612-56", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201612-56"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.citrix.com/article/CTX219136"}, {"name": "[debian-lts-announce] 20180206 [SECURITY] [DLA 1270-1] xen security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://xenbits.xen.org/xsa/advisory-199.html"}, {"name": "1037397", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037397"}, {"name": "RHSA-2016:2963", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2963.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9637", "datePublished": "2017-02-16T18:00:00", "dateReserved": "2016-11-23T00:00:00", "dateUpdated": "2024-08-06T02:59:03.139Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:xenserver:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "5FCF191B-971A-4945-AB14-08091689BE2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:xenserver:6.2.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "878949E0-D656-4E0E-858A-C6AD948A2A2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:xenserver:6.5:sp1:*:*:*:*:*:*", "matchCriteriaId": "DBCF6643-ACDE-4DDB-8B01-D952DDF8951E", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:xenserver:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "405F950F-0772-41A3-8B72-B67151CC1376", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access."}, {"lang": "es", "value": "Las funciones (1) ioport_read y (2) ioport_write en Xen, cuando qemu es utilizado como un modelo de dispositivo dentro de Xen, podr\u00eda permitir a administradores locales del SO invitado x86 HVM obtener privilegios del proceso qemu a trav\u00e9s de vectores que involucran un acceso ioport fuera de rango."}], "id": "CVE-2016-9637", "lastModified": "2018-02-08T02:29:00.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-17T02:59:13.967", "references": [{"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-2963.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/94699"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037397"}, {"source": "cve@mitre.org", "url": "http://xenbits.xen.org/xsa/advisory-199.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201612-56"}, {"source": "cve@mitre.org", "url": "https://support.citrix.com/article/CTX219136"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Xen project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2016:2963", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "xen-0:3.0.3-148.el5_11", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2016-12-20T00:00:00Z"}], "bugzilla": {"description": "Xen: qemu ioport out-of-bounds array access (XSA-199)", "id": "1397043", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1397043"}, "csaw": false, "cvss": {"cvss_base_score": "6.5", "cvss_scoring_vector": "AV:A/AC:H/Au:S/C:C/I:C/A:C", "status": "verified"}, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.", "An out of bounds array access issue was found in the Xen virtual machine monitor, built with the QEMU ioport support. It could occur while doing ioport read/write operations, if guest was to supply a 32bit address parameter. A privileged guest user/process could use this flaw to potentially escalate their privileges on a host."], "name": "CVE-2016-9637", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-12-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9637\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9637\nhttp://xenbits.xen.org/xsa/advisory-199.html"], "threat_severity": "Important"}