CVE-2016-9379 Citrix CVE debrief

Who should care

Xen and Citrix XenServer operators, especially teams that allow guest OS administrators to use pygrub or manage bootloader configuration files, should prioritize this issue.

Technical summary

NVD classifies the issue under CWE-20 and lists the vulnerable scope as Xen plus Citrix XenServer 6.0.2, 6.2.0, 6.5, and 7.0. The CVSS vector (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) reflects a local attack requiring high privileges, but with the potential to affect files on the host. The official vendor references point to Xen Security Advisory 198 and a corresponding patch, plus a Citrix support advisory.

Defensive priority

High for environments where guest administrators can influence pygrub or bootloader configuration; otherwise medium. The issue is local and privilege-gated, but it can impact host files directly.

Recommended defensive actions

• Apply the Xen Security Advisory 198 fix and the related vendor updates referenced by Xen and Citrix.
• Review whether pygrub is enabled or reachable for guest administrators, and disable or restrict it where possible.
• Limit guest administrator privileges and separate guest-side management from host-level file access.
• Audit bootloader configuration handling for unsafe parsing of S-expressions and quoted content.
• Verify affected XenServer and Xen deployments against the versions listed in the NVD record.
• Check host file integrity and access controls in environments where pygrub has been used.

Evidence notes

The debrief is based on the NVD CVE record and the linked Xen/Citrix advisories. The supplied record states that pygrub in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file. NVD also lists CWE-20, the affected Xen/Citrix XenServer versions, and the CVSS 3.0 vector.

Official resources