A number of security vulnerabilities have been identified in Citrix Provisioning Services components that, if exploited, could potentially allow an attacker to execute arbitrary, privileged, code on the Provisioning Services target devices. Some of these issues could be exploited by an attacker with network access to the Provisioning Services target devices.

These vulnerabilities have been assigned the following CVE numbers:

CVE-2016-9676: Buffer overwrite vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.

CVE-2016-9678: “Use after free” vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.

CVE-2016-9679: Function pointer overwrite vulnerability in Citrix Provisioning Services before version 7.12 could result in arbitrary code execution.

CVE-2016-9680: Vulnerability in Citrix Provisioning Services before version 7.12 could result in disclosure of kernel memory.

CVE-2016-9677: Kernel address information leakage vulnerability in Citrix Provisioning Services before version 7.12.

These vulnerabilities affect the target device component released as part of Citrix Provisioning Services up to and including version 7.11.