Back in August 2016, we conducted a pentest on a Citrix infrastructure, which allowed us to find various critical vulnerabilities in Citrix Provisioning Services. We contacted Citrix Security Response Team to responsibly disclose these vulnerabilities back in September, and they quickly acknowledged the issues and worked on fix.
Today, Citrix released the CTX219580 security advisory containing the fixes for the five vulnerabilities.
It has to be noted that all the exchanges with the Citrix Security Response Team were very pleasant, and they provided us with regular updates about the correction status of the vulnerabilities.
Citrix Provisioning Services is a Citrix product, which allows a single disk image to be used by many XenApp or XenDesktop instances. It requires some drivers to be installed in the image for the system drive to be streamed through the network, such as “CVhdMp.sys” (the “Virtual Hard Disk Adapter” driver) and “bnistack6.sys” (the “Virtual HBA SCSI Disk Device” driver).
We’ve focused our attention on this latest driver, which lacked several defence mechanisms.
The “\\.\Global\BNInterface” device can be accessed by any user on the system, and the driver’s IOCTL handler lacks verification of the origin (user or kernel-mode).
Therefore, the following vulnerabilities have been identified, and could be exploited by an unprivileged user logged on the system to elevate his privileges:
- CVE-2016-9677, information leak: the 0x85012404 IOCTL returns a structure containing kernel heap pointers, allowing to defeat ASLR.
- CVE-2016-9678, use-after-free: the 0x85012408 IOCTL allows to free a specific structure knowing its address, which can be guessed from the previous vulnerability. This leads to a use-after-free condition triggered by the “CVhdMp.sys” driver when trying to call function pointers located in the freed structure.
- CVE-2016-9679, function pointers overwrite: the 0x85012404 IOCTL allows to overwrite two kernel function pointers. However, these pointers do not seem to be called in a default configuration.
Trusted network packets
Citrix Provisioning Services uses its own protocol over UDP between the server and the various XenApp/XenDesktop instances. Every XenApp/XenDesktop instance waits for incoming packets on UDP port 6902, and parses them, leading to the following vulnerabilities:
- CVE-2016-9680, invalid memory read: the packet parsing function blindly trusts user-input to compute a memory address for reading data, which could trigger a kernel crash (BSOD).
- CVE-2016-9676, buffer overflow: the packet parsing function blindly trusts user-input as the amount of data to copy in a fixed-size buffer, when handling command 0xb. This could allow remote code execution at kernel level, or trigger a BSOD in case of failed attempts.
Citrix has released Provisioning Services version 7.12 which fixes these vulnerabilities.
As these vulnerabilities are highly critical, we advise Citrix Provisioning Services users to install the new version as soon as possible.