|
|
ESB-2012.0493 - [Win] Citrix XenApp: Denial of service - Remote/unauthenticated |
|
Date: 24 May 2012 Original URL: http://www.auscert.org.au/render.html?cid=1980&it=15866 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0493
Vulnerability in Citrix XenApp could result in denial of service
24 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Feature Pack 1 for Presentation Server 4.5
Presentation Server 4.5 SE Edition
Presentation Server 4.5 for Windows Server 2003
Presentation Server 4.5 for Windows Server 2003 x64 Edition
XenApp 5.0 for Windows Server 2003 x64
XenApp 5.0 for Windows Server 2003 x86
XenApp 6.0 for Windows Server 2008 R2
XenApp 6.5 for Windows Server 2008 R2
XenApp Fundamentals 2.0
XenApp Fundamentals 3.0
XenApp Fundamentals 6.0 for Windows Server 2008 R2
Publisher: Citrix
Operating System: Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://support.citrix.com/article/CTX133159
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in Citrix XenApp could result in denial of service.
Document ID: CTX133159
Created On: May 22, 2012
Updated On: May 22, 2012
Average Rating: not yet rated
Severity: Low
Description of Problem
A vulnerability has been identified in Citrix XenApp that, when triggered,
could result in a denial of service.
This vulnerability is present in all versions of Citrix XenApp, formerly known
as Presentation Server, up to and including version 6.5.
Mitigating Factors
In order to trigger this vulnerability, an attacker would need to be able to
directly access the XenApp server. When deployed according to established best
practice, the XenApp server would not be directly exposed and an Internet-based
attacker would not be able to trigger this vulnerability.
What Customers Should Do
A hotfix has been released to address this issue. Citrix recommends that
affected customers install this hotfix, which can be downloaded from the
following locations:
Citrix XenApp 6.5 for Windows Server 2008 R2:
EN - http://support.citrix.com/article/CTX133001
FR - http://support.citrix.com/article/CTX133229
DE - http://support.citrix.com/article/CTX133230
JA - http://support.citrix.com/article/CTX133231
Citrix XenApp 6.0 for Windows Server 2008 R2:
EN - http://support.citrix.com/article/CTX130473
FR - http://support.citrix.com/article/CTX131529
DE - http://support.citrix.com/article/CTX131527
JA - http://support.citrix.com/article/CTX131528
ES - http://support.citrix.com/article/CTX131530
SC - http://support.citrix.com/article/CTX131531
Citrix XenApp 5 for Windows Server 2008 64-bit Edition:
EN - http://support.citrix.com/article/CTX133131
FR - http://support.citrix.com/article/CTX133134
DE - http://support.citrix.com/article/CTX133132
JA - http://support.citrix.com/article/CTX133133
ES - http://support.citrix.com/article/CTX133135
Citrix XenApp 5 for Windows Server 2008 32-bit Edition:
EN - http://support.citrix.com/article/CTX133126
FR - http://support.citrix.com/article/CTX133129
DE - http://support.citrix.com/article/CTX133127
JA - http://support.citrix.com/article/CTX133128
ES - http://support.citrix.com/article/CTX133130
Citrix Presentation Server 4.5/XenApp 5 for Windows Server 2003 64-bit Edition:
EN - http://support.citrix.com/article/CTX133360
FR - http://support.citrix.com/article/CTX133363
DE - http://support.citrix.com/article/CTX133361
JA - http://support.citrix.com/article/CTX133362
ES - http://support.citrix.com/article/CTX133364
Citrix Presentation Server 4.5/XenApp 5 for Windows Server 2003 32-bit Edition:
EN - http://support.citrix.com/article/CTX133359
FR - http://support.citrix.com/article/CTX133367
DE - http://support.citrix.com/article/CTX133365
JA - http://support.citrix.com/article/CTX133366
ES - http://support.citrix.com/article/CTX133368
Acknowledgements
Citrix thanks the following for working with us to protect Citrix Customers:
Xiaopeng Zhang of Fortinet's FortiGuard Labs (http://www.fortinet.com)
Alex Chapman of Context Information Security Ltd.
(http://www.contextis.co.uk/)
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at http://www.citrix.com/site/ss/supportContacts.asp.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. If you would like to report a
security issue to Citrix, please compose an e-mail to secure@citrix.com stating
the exact version of the product in which the vulnerability was found and the
steps needed to reproduce the vulnerability.
This document applies to:
Feature Pack 1 for Presentation Server 4.5
Presentation Server 4.5 SE Edition
Presentation Server 4.5 for Windows Server 2003
Presentation Server 4.5 for Windows Server 2003 x64 Edition
XenApp 5.0 for Windows Server 2003 x64
XenApp 5.0 for Windows Server 2003 x86
XenApp 6.0 for Windows Server 2008 R2
XenApp 6.5 for Windows Server 2008 R2
XenApp Fundamentals 2.0
XenApp Fundamentals 3.0
XenApp Fundamentals 6.0 for Windows Server 2008 R2
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT72V4O4yVqjM2NGpAQK8vxAAtcyWBsP/tGU5pvtOHhyNp3tov961ej03
8a+Zx0XOrGA+0HCaaZ92NUeMurOTeVUYRckouwWq9/L9YvHyRsWjWSt/aFub7MOC
d4trUzigM5C/MrqjwV3pMA8aglxhDpE5Jhpc5dfAJlpj9YFCZy7+u66FmXECy/Om
iGP+IP7Jhp2qUVeTB19bbBSwSLsQ/BGsinUh/aoPoP//+dLZq7ckh69rWT3Go+xI
sYGfo1w9jBb7Dovn/TQV6q7zm8RpGSsYeobHuQ+Z+w0YpsD+qOhEcYKUEISfBtQQ
yHOtgWaxrREyv/r2retTxDXuT7DnnOsePrBBLdYILSsQ8R40ES3TI8vdP92vf4t3
EjsWq7ZS/oRw4NCmhBshbOochQLwnKQ38h9suWu+fHOTctZWy3M8uYFxf4oBPcSh
SqO3+5//asQuW9k70RxGOd3PlC4fxdybmbIi72yaLtDse2+kEX2eDDixVSYgLZbX
jMr/fxJcphGCnRi5abVTHsRzwXIXIm7cPi4tPa2c1seNSz/iaKH9n9MoXVKsd0zR
D/AtFvpD3syHaQ1OyJpM/PADnwgxSnEG9OU90oUVVRBI1sYI+W/kMHj8495o4Ts0
Rw8j3mdMP/5UMim6ozczVN57zTnmTJSbZgSuTfi33/exSPDdGS+sp28HdaCjsQhZ
NwlT8BBoyJE=
=WAlF
-----END PGP SIGNATURE-----
|