#VU94097 Resource exhaustion in Citrix XenServer and Citrix Hypervisor - CVE-2024-5661

Cybersecurity Help s.r.o.

Published: 2024-07-11

Vulnerability identifier: #VU94097

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green]

CVE-ID: CVE-2024-5661

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Citrix XenServer
Server applications / Other server solutions
Citrix Hypervisor
Server applications / Virtualization software

Vendor: Citrix

Description

The vulnerability allows a malicious guest user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A malicious administrator of the guest OS can perform a denial of service (DoS) attack against the hypervisor.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Citrix XenServer: 8.0

Citrix Hypervisor: 8.2 CU1

External links
https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hypervisor-security-update-for-cve20245661
https://support.citrix.com/article/CTX677067/hotfix-xs82ecu1068-for-citrix-hypervisor-82-cumulative-update-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Citrix XenServer and Citrix Hypervisor