copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Secu... » ASB-2009.1131.2 - UPDATE [Win][OSX] Citrix Online Pl...
 

ASB-2009.1131.2 - UPDATE [Win][OSX] Citrix Online Plug-in for Windows: Provide misleading information - Remote/unauthenticated
Date: 15 November 2009
Related Files: ASB-2009.1131  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2009.1131.2
         Citrix Online Plug-ins and ICA Client updated to correct
                          spoofing vulnerability
                             16 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Citrix Online Plug-in for Windows
                      Citrix Online Plug-in for Mac
                      Citrix Receiver for iPhone
Operating System:     Windows
                      Mac OS X
                      Network Appliance
Impact/Access:        Provide Misleading Information -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2009-3936  
Member content until: Saturday, December 12 2009

Revision History:     November 16 2009: Added CVE reference
                      November 12 2009: Initial Release

OVERVIEW

        Citrix have released updates to their Online Plug-ins for Windows
        and Mac, and the Citrix Receiver for iPhone, correcting a security
        vulnerability.


IMPACT

        The vendor has provided the following information regarding this
        vulnerability:
        
        "A vulnerability has been identified in the Citrix Online 
        Plug-ins and ICA Clients for XenApp and XenDesktop that could 
        allow an attacker to impersonate an SSL or TLS endpoint. Customers 
        should be aware that this issue is unrelated to the TLS 
        renegotiation prefix injection attack, referenced by CVE-2009-3555.
        
        SSL/TLS can be used to provide server authentication for ICA 
        traffic in XenDesktop or XenApp. This vulnerability could allow an 
        attacker to use a specifically crafted certificate to successfully 
        impersonate the SSL/TLS server, in effect allowing the attacker to 
        subvert the intended server authentication.
        
        In addition to the specific issues documented in this bulletin, 
        customers are strongly advised to follow the guidance in Microsoft 
        security bulletin MS09-056, because some Citrix client components 
        have dependencies on the components covered by this bulletin." [1]
        
        The following products have been confirmed as vulnerable: [1]
        
          * Citrix Online Plug-in for Windows: version 11.0.150, and 
            version 11.2 and later
          * Citrix Online Plug-in for Mac: version 11.0 and later
          * Citrix Receiver for iPhone: version 1.0.3 and later


MITIGATION

        Citrix has strongly advised customers to update to the latest 
        version of this client. [1]
        
        The latest versions are available for download from the vendor's
        website. [2]


REFERENCES

        [1] Vulnerability in Citrix Online Plug-ins and ICA Clients Could
            Result in SSL/TLS Certificate Spoofing
            http://support.citrix.com/article/CTX123248

        [2] Citrix Systems >> Citrix Downloads >> XenApp
            http://www.citrix.com/English/SS/downloads/results.asp?productId=186&c1=sot2755

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLAIzNNVH5XJJInbgRAs0NAJ9qfyPp0q0/J888EQ2ZZqHHoOl3EgCfZArY
Njp+OuX+JFpVFNxlXsC3PyQ=
=iBOK
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=10415&it=11947