Vigil@nce - Citrix XenServer 7: privilege escalation via Active Directory
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker with an account on the Active Directory can log in
Citrix XenServer 7, in order to compromise the system.
Impacted products: XenServer.
Severity: 2/4.
Creation date: 10/06/2016.
DESCRIPTION OF THE VULNERABILITY
The Citrix XenServer 7 product can be installed with the Active
Directory authentication still enabled.
However, after this installation, every AD user can authenticate
on XenServer.
An attacker with an account on the Active Directory can therefore
log in Citrix XenServer 7, in order to compromise the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN