Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6296 CVE-2014-0160 - Citrix Security Advisory for the Heartbleed vulnerability 2 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix products Publisher: Citrix Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2015-0160 CVE-2014-0160 Original Bulletin: https://support.citrix.com/article/CTX140605/cve20140160-citrix-security-advisory-for-the-heartbleed-vulnerability Comment: CVSS (Max): 7.5* CVE-2014-0160 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2014-0160 - Citrix Security Advisory for the Heartbleed vulnerability Reference: CTX140605 Category : None Created : 09 April 2014 Modified : 15 August 2019 Overview A vulnerability has been recently disclosed in OpenSSL that could result in remote attackers being able to obtain sensitive data from the process address space of a vulnerable OpenSSL server or client. The issue has been assigned the following CVE identifier and is also known as the Heartbleed vulnerability: CVE-2014-0160: https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2014-0160 What Citrix is Doing Citrix has analyzed the impact of this issue on currently supported products. The following sections of this advisory provide impact information on each product. Products That Require Citrix Updates: o HDX RealTime Optimization Pack for Microsoft Lync 2010: This component is vulnerable to CVE-2014-0160. An updated version of this component has been released to address this issue. Citrix recommends customers deploy these patches as soon as possible. These patches can be found on our website at the following locations: o Windows - https://support.citrix.com/article/CTX140719 o Mac - https://support.citrix.com/article/CTX140730 o Linux - https://support.citrix.com/article/CTX140732 o Citrix XenMobile App Controller: XenMobile App Controller versions 2.9 and 2.10 are vulnerable to CVE-2014-0160. Patches have been released to address this issue for both App controller 2.9 and 2.10. Citrix recommends that customers deploy these patches as soon as possible. These patches are available from the following location: https://www.citrix.com/downloads/ xenmobile/product-software.html . Further information on this can be found in the following blog post: http://blogs.citrix.com/2014/04/15/ citrix-xenmobile-security-advisory-for-heartbleed/ . o Citrix XenMobile MDX Toolkit & SDK: MDX Toolkit and SDK Versions 2.2.1 (XenMobile 8.6.1) and 2.3.61 (XenMobile 8.7) use a vulnerable version of OpenSSL when wrapping iOS applications. Enterprise-ready mobile apps on the Worx App Gallery that use this version of Worx SDK also use a vulnerable version of OpenSSL. Outgoing micro VPN network connections to Access Gateway from iOS applications that were wrapped, or Worx SDK enabled, with this version will be encapsulated in a TLS connection that uses a vulnerable version of OpenSSL. Citrix has released a new version of the MDX Toolkit & SDK for iOS and Android Build MDX Toolkit; this can be found on the Citrix website at the following address: https://www.citrix.com/ downloads/xenmobile/product-software.html . Wrapped Android applications make use of the underlying Android version of OpenSSL, Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. o Citrix XenMobile Worx components for iOS: Worx Home for iOS version 8.7 uses a vulnerable version of OpenSSL. A new version of this software, 8.7.1.27, can be downloaded from the Apple App Store at the following address: https://itunes.apple.com/us/app/worx-home/id434682528mt=8 . Customers that are using wrapped versions of iOS Worx applications are also advised to review the guidance on the MDX Toolkit given above. o Receiver for BlackBerry: The Receiver for BlackBerry 10 version 2.0.0.21 is vulnerable to CVE-2014-0160. A new version of the Receiver for BlackBerry 10, 2.0.0.22, can be downloaded from the BlackBerry World website at the following address: http://appworld.blackberry.com/webstore/ content/34621918 . Receiver for PlayBook version 1.0.0 and Receiver for BlackBerry version 2.2 are not vulnerable to CVE-2014-0160. o Citrix Licensing: The Citrix License Server for Windows version 11.11.1, the Citrix License Server VPX version 11.12 and the Citrix Usage Collector are vulnerable to CVE-2015-0160. New versions of the License Server for Windows , 11.11.1.13017, and the License Server VPX, 11.12.14001, can be downloaded from the Citrix website at the following address: https:// www.citrix.com/downloads/licensing/license-server.html o Citrix CloudPlatform: The TLS interface exposed by the Secondary Storage VM in Cloud Platform versions 4.2.0, 4.2.1-x and 4.3.0.0 use a version of OpenSSL that is vulnerable to CVE-2014-0160. Citrix has released updated system virtual machine templates to resolve this issue. Citrix recommends that customers update the system virtual machine templates to a patched version and then reboot any Secondary Storage VMs to ensure that the updated OpenSSL version is being used. Instructions on updating the system virtual machine templates can be found in the following Citrix knowledge base article https://support.citrix.com/article/CTX200024 . o Citrix XenClient XT: XenClient XT versions 3.1.4, 3.2.0, and 3.2.1 are vulnerable to CVE-2014-0160. A new version of XenClient XT, 3.2.2, is available on the Citrix website at the following address: https:// www.citrix.com/downloads/xenclient/product-software/xenclient-xt-322.html . The XenClient XT Synchronizer makes use of the platform provided OpenSSL library. Customers are advised to verify that the version of OpenSSL installed on the underlying Linux Operating System is not vulnerable to CVE-2014-0160. o Citrix XenClient Enterprise: Some versions of XenClient Enterprise Engine are vulnerable to CVE-2014-0160. In deployments where the XenClient Synchronizer is only accessed via fully trusted networks, the level of exposure is reduced. The TLS libraries used by currently supported versions of the XenClient Enterprise Synchronizer are not vulnerable to CVE-2014-0160. The following versions of XenClient Enterprise Engine are vulnerable to CVE-2014-0160: o 4.1.0, 4.1.1, 4.1.2, 4.1.3, and 4.1.4. Citrix has released a new version of the XenClient Enterprise engine, 4.1.5. This can be found at the following address: https://www.citrix.com/downloads/xenclient/ product-software/xenclient-enterprise-41.html o 4.5.1, 4.5.2, 4.5.3, 4.5.4, and 4.5.5. Citrix has released a new version of the XenClient Enterprise engine, 4.5.6. This can be found at the following address: https://www.citrix.com/downloads/xenclient/ product-software/xenclient-enterprise-45 o 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4 and 5.0.5. Citrix has released a new version of the XenClient Enterprise engine, 5.0.6. This can be found at the following address: https://www.citrix.com/downloads/xenclient/ product-software/xenclient-enterprise-50.html o 5.1.0, and 5.1.1. Citrix has released a new version of XenClient Enterprise, 5.1.2. This can be found at the following address: https:// www.citrix.com/downloads/xenclient/product-software/ xenclient-enterprise-51.html . o Citrix DesktopPlayer for Mac: DesktopPlayer for Mac version 1.0.x up to and including version 1.0.3 is vulnerable to CVE-2014-0160. A new version of the Desktop Player for Mac, 1.0.4, is available on the Citrix website at the following address: https://www.citrix.com/downloads/ desktopplayer-for-mac/product-software/desktopplayer-for-mac-10.html . The TLS libraries used by currently supported versions of the DesktopPlayer Synchronizer are not vulnerable to CVE-2014-0160. Products That May Require Third Party Updates: o Citrix XenDesktop 7.5: Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of OpenSSL that is not vulnerable to CVE-2014-0160. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: https:// support.citrix.com/article/CTX140428 . Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon covering VMs based on this template can be found at the following location: https:// aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/ . o Citrix Receiver for Android: Receiver for Android makes use of the OpenSSL library provided by the underlying Android platform. Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. An initial statement by Google on Android can be found here: http:// googleonlinesecurity.blogspot.co.uk/2014/04/ google-services-updated-to-address.html . o Citrix XenMobile Worx components for Android: Worx components running on Android make use of the OpenSSL library provided by the underlying Android platform. Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. An initial statement from Google on Android can be found here: http://googleonlinesecurity.blogspot.co.uk/2014/04/ google-services-updated-to-address.html . o Citrix Receiver for Linux: The TLS libraries included in currently supported versions of Receiver for Linux are not vulnerable to CVE-2014-0160. Version 13.0 of the Receiver for Linux also makes use of the platform provided OpenSSL library. Customers using this version are advised to ensure that the version of OpenSSL installed on the underlying Linux Operating System is not vulnerable to CVE-2014-0160. o Citrix Web Interface: Web Interface makes use of the TLS functionality provided by the underlying web server. Citrix customers are advised to verify that any deployed web servers used to host Web Interface are not vulnerable to this issue. Web Interface can also use a built-in TLS library to make outgoing TLS connections, this library is not vulnerable to CVE-2014-0160. o Citrix CloudPortal Business Manager: This product does not include any TLS libraries and, as such, is not vulnerable to CVE-2014-0160. Some customer deployments may make use of an additional SSL proxy component; Citrix advises customers to contact the vendors of any SSL proxy components being used to determine if they are vulnerable to CVE-2014-0160. Products That Are Not Impacted: o Citrix Provisioning Services: Currently supported versions of Citrix Provisioning Services are not affected by CVE-2014-0160. o Citrix XenServer: The TLS libraries used by currently supported versions of XenServer are not vulnerable to CVE-2014-0160. o Citrix VDI-in-a-Box: The TLS libraries used by currently supported versions of VIAB are not vulnerable to CVE-2014-0160. o Citrix XenMobile MDM Edition: The TLS libraries used by components of XenMobile MDM edition, including the XenMobile Device Manager component, are not vulnerable to CVE-2014-0160 . o Citrix CloudPortal Services Manager: The TLS libraries used by currently supported versions of CloudPortal Services Manager are not vulnerable to CVE-2014-0160. o Citrix Receiver for Windows: The TLS libraries used by currently supported versions of Receiver for Windows are not vulnerable to CVE-2014-0160. o Citrix Receiver for Mac: The TLS libraries used by currently supported versions of Receiver for Mac are not vulnerable to CVE-2014-0160. o Citrix Receiver for iOS: The TLS libraries used by currently supported versions of Receiver for iOS are not vulnerable to CVE-2014-0160. o Citrix ByteMobile: The TLS libraries used by currently supported versions of ByteMobile are not vulnerable to CVE-2014-0160. o Citrix NetScaler: The TLS libraries used by currently supported versions of the NetScaler product are not vulnerable to CVE-2014-0160. o Citrix Access Gateway : The TLS libraries used by currently supported versions of Access Gateway are not vulnerable to CVE-2014-0160. o Citrix CloudBridge: The TLS libraries used by currently supported versions of Citrix CloudBridge, including client components, are not vulnerable to CVE-2014-0160. o Citrix Secure Gateway (CSG): The TLS library used by the currently supported version of CSG is not vulnerable to CVE-2014-0160. o Citrix XenApp SSLRelay Component: The TLS libraries used by currently supported versions of the XenApp SSLRelay are not vulnerable to CVE-2014-0160. o Citrix Single Sign-on, previously known as Password Manager: The TLS libraries used by currently supported versions of Citrix Single Sign-on are not vulnerable to CVE-2014-0160. o Citrix StoreFront: The TLS library used by currently supported versions of Citrix Storefront is not vulnerable to CVE-2014-0160. o Citrix Merchandising Server: The TLS library used by the currently supported version of Citrix Merchandising Server is not vulnerable to CVE-2014-0160. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp . More information on the support status of Citrix products can be found on our website at the following address: http://www.citrix.com/support/product-lifecycle/product-matrix.html . Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 - Reporting Security Issues to Citrix - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY4mK0skNZI30y1K9AQiPPRAAolDhjrDYnoqzVGtrlko7KB7frzj+S+PH a+M/sSql4/KWKtXToZCCyg7mLyIYdsCf5wEBY6F8t/8CQj8JAGOxT1K9Mek24BB2 vlUSc6hpTcpewkIuxW2tsCKfojggi5+jnj/VuVYLpEGEofSEayEMZhdbprZBENaL DqKX0lnlEo9oWzU6T1t/SHlwzPGVuZ2dJntR+olypPhraWq9vfmjzaWqnCriFNLs vodfwC0UMJHI+kx1sJ+sMwQstM9ijIE/VOqgcM9vtPKEh1Cdn+Rcc/d2+WAw5JF7 jeIgfyWjQXZmcVVIsqy7avpUrC8QF+67DYKBO56T0ZmcWLzHMZR+ehYrBy9GEA4c dSmiAk5bGqqC2dq1Cb6hJQPSkjp+Z/st29P1RCxy5UZDkLDTZWFHEt29qhAObtUD +ePjmZRudpywO2kHSdrGk8k6LRXfxh+cX3rRGwWo3rmr1L35R1uhABn4i2jCEVK5 PcEVgvU2epIysVeO29xgsU7JezmMkg2Ul0RpCFtIr/baYez0TFMWFpIRz1w0mUpq l4O83NUjQkoSj2j2PigIBXcoS8FvQheGCOZGMuUtZNvKmx7ReMbxqzVAUKr+UT5W i0kqniiq7S7LjicjJlohftLKVfN8XRW0ycPR3xiLQhzyP03UZmAFQsrn127vBCm4 PWqMCX1tNtg= =UlRz -----END PGP SIGNATURE-----