Citrix Provisioning Services is a Citrix product, which allows a single disk image to be used by many XenApp or XenDesktop instances. It requires some drivers to be installed in the image for the system drive to be streamed through the network, such as "CVhdMp.sys" (the "Virtual Hard Disk Adapter" driver) and "bnistack6.sys" (the "Virtual HBA SCSI Disk Device" driver).

We've focused our attention on this latest driver, which lacked several defence mechanisms.

Unchecked IOCTLs

The "\\.\Global\BNInterface" device can be accessed by any user on the system, and the driver's IOCTL handler lacks verification of the origin (user or kernel-mode).

Therefore, the following vulnerabilities have been identified, and could be exploited by an unprivileged user logged on the system to elevate his privileges:

  • CVE-2016-9677, information leak: the 0x85012404 IOCTL returns a structure containing kernel heap pointers, allowing to defeat ASLR.
  • CVE-2016-9678, use-after-free: the 0x85012408 IOCTL allows to free a specific structure knowing its address, which can be guessed from the previous vulnerability. This leads to a use-after-free condition triggered by the "CVhdMp.sys" driver when trying to call function pointers located in the freed structure.
  • CVE-2016-9679, function pointers overwrite: the 0x85012404 IOCTL allows to overwrite two kernel function pointers. However, these pointers do not seem to be called in a default configuration.

Trusted network packets

Citrix Provisioning Services uses its own protocol over UDP between the server and the various XenApp/XenDesktop instances. Every XenApp/XenDesktop instance waits for incoming packets on UDP port 6902, and parses them, leading to the following vulnerabilities:

  • CVE-2016-9680, invalid memory read: the packet parsing function blindly trusts user-input to compute a memory address for reading data, which could trigger a kernel crash (BSOD).
  • CVE-2016-9676, buffer overflow: the packet parsing function blindly trusts user-input as the amount of data to copy in a fixed-size buffer, when handling command 0xb. This could allow remote code execution at kernel level, or trigger a BSOD in case of failed attempts.

Solution

Citrix has released Provisioning Services version 7.12 which fixes these vulnerabilities.

As these vulnerabilities are highly critical, we advise Citrix Provisioning Services users to install the new version as soon as possible.