Date: 07 April 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0258 -- Foundstone Labs Advisory
Citrix MetaFrame Password Manager 2.0 credentials not encrypted under
certain configurations
07 April 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix MetaFrame Password Manager 2.0
Publisher: Foundstone
Operating System: Windows
Impact: Reduced Security
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
Foundstone Labs Advisory
Advisory Name: Citrix MetaFrame Password Manager 2.0 credentials not
encrypted under certain configurations
Release Date: April 5, 2004
Application: Citrix MetaFrame Password Manager 2.0
Platforms: Windows 2000 and Windows XP
Type: Information Disclosure
Vendors: Citrix
Vendor Advisory:
http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256
Authors: Vijay Akasapu and David Wong
Reference: http://www.foundstone.com/advisories
Overview:
The Citrix MetaFrame Password Manager 2.0 product provides
enterprise-level single sign-on (SSO) functionality, enabling users
to authenticate just once with a single set of credentials to gain
access to a variety of applications, systems, and web sites that
require secondary logons. The product accomplishes this by storing
user's passwords in an encrypted database and automatically providing
credentials to applications when needed. The credentials are normally
encrypted using the 3DES algorithm in both the local and central
store. However, if an administrator inadvertently fails to configure
the Citrix MetaFrame Password Manager agent to point to a central
credential store, the credentials will be stored in the local store
unencrypted.
Mitigating Factors:
1. The local credential store is protected by Windows File Access
Control Lists (ACLs) that restrict access to the user or
Administrator
2. The credentials are stored unencrypted only when a central
credential store is not configured. This configuration is unlikely
to be encountered in a typical production deployment of Citrix
MetaFrame Password Manager
3. Only credentials entered immediately after executing the
First Time User Wizards are affected. Credentials entered
subsequently are encrypted.
Vendor Response:
Foundstone's software security consulting group identified this
vulnerability during a product security assessment of Citrix MetaFrame
Password Manager 2.0. The assessment was commissioned by Citrix as
part of their efforts to provide Citrix customers with more secure
software.
Citrix has issued a security bulletin and Hotfix MPME100W001 to
address the vulnerability identified in this advisory. It is
available at:
http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256
Recommendation:
Apply Hotfix MPME100W001 provided by Citrix. If no central
credential store has been configured, the local credential store
should be manually deleted before the system is patched.
Administrators must ensure all deployments are configured with
synchronization to a central credential store (either Active
Directory or File Server).
Disclaimer:
The information contained in this advisory is copyright (c) 2004
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential damages
resulting from the use or misuse of this information. This advisory
may be redistributed, provided that no fee is assigned and that
the advisory is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and
privacy needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The
company has one of the most dominant security talent pools ever
assembled, including experts from Ernst & Young, KPMG,
PricewaterhouseCoopers, and the United States Defense Department.
Foundstone executives and consultants have authored nine books,
including the international best seller Hacking Exposed: Network
Security Secrets & Solutions.
Foundstone is headquartered in Orange County, CA, and has offices
in New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.
Copyright (c) 2004 Foundstone, Inc. All rights reserved worldwide.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQHN4JSh9+71yA2DNAQK8kwQAkNFcYeM6g36Yr+s60mdDkxEennsGgary
R/N2+oYW/1HZu+PdVD3ddlAYQCdGK331UHBFrF1B5tTp2cKDBla6eLfutEnI/7CD
QooQolJQgyd5X0Vl4IoX4PatAiFaZTJ+b+Pe+hMwzs9j6wMZXeXsj32rNkhojJ8c
dgXbjS9p/5E=
=8hIi
-----END PGP SIGNATURE-----
|