Xen Cirrus VGA Emulator Heap Overflow Vulnerability [CVE-2016-9603]

CVE number – CVE-2016-9603

A vulnerability in the Cirrus VGA Emulator of Xen Hypervisor could allow a local attacker to gain elevated privileges.

The vulnerability is due to improper bounds checks when the Cirrus VGA Emulator attempts to resize the display of the console. An attacker on a guest operating system could exploit this vulnerability to trigger a heap overflow condition in the device model process of the affected software. A successful exploit could allow the attacker to gain elevated privileges and potentially execute arbitrary code on the host operating system.

Xen.org has confirmed the vulnerability and released software patches.

Technical Information
  • The vulnerability is due to improper bounds checks by the affected software. When a console component, such as the VNC emulation component, attempts to update its display after a Cirrus VGA Emulator operation, a heap overflow condition could occur in the device model process if the new display is larger than the previous display.
Analysis
  • To exploit this vulnerability, the attacker must have local access to the targeted guest operating system. This access requirement may reduce the likelihood of a successful exploit.

    This vulnerability affects only hardware-assisted virtual machine (HVM) guest operating systems that have the Cirrus video card enabled.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to access local systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: