ESB-2018.2296.2 - UPDATE [Linux][FreeBSD] Citrix products: Denial of service - Remote/unauthenticated 2018-08-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2296.2
      Citrix Security Advisory for TCP Reassembly Resource Exhaustion
                              21 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Receiver for Linux
                   Citrix Linux Virtual Desktop
                   Citrix XenDesktop Volume Worker Template
Publisher:         Citrix
Operating System:  Linux variants
                   FreeBSD
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6922 CVE-2018-5390 

Reference:         ESB-2018.2287
                   ESB-2018.2278
                   ESB-2018.2277
                   ESB-2018.2275
                   ESB-2018.2271

Original Bulletin: 
   https://support.citrix.com/article/CTX237244

Comment: Citrix advises analysis of Citrix XenServer, Citrix XenMobile and 
         Citrix Licensing for this vulnerability is still in progress.

Revision History:  August 21 2018: Added CVE-2018-5391 and CVE-2018-6923 
                                   details
                   August  9 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

CTX237244

Citrix Security Advisory for TCP/IP Reassembly Resource Exhaustion

Security Bulletin | Medium 
Created: 08 Aug 2018 | Modified: 16 Aug 2018

Description of Problem

Several vulnerabilities in TCP/IP reassembly commonly known as SegmentSmack
and FragmentSmack have recently been disclosed. SegmentSmack is CVE-2018-5390
for Linux and CVE-2018-6922 for FreeBSD.  FragmentSmack is CVE-2018-5391 for
Linux and CVE-2018-6923 for FreeBSD.  These vulnerabilities could potentially
allow an attacker that has the ability to maintain a TCP or IP stream with a
vulnerable component to send crafted packets that cause high CPU usage or CPU
resource exhaustion leading to denial of service.

Vulnerable reassembly is provided by some Linux-based or FreeBSD-based
operating systems. Customers managing Linux or FreeBSD platforms on which
Citrix components are deployed are advised to apply any appropriate operating
system updates.

The following sections provide guidance on the impact and mitigation steps for
Linux-based and FreeBSD-based Citrix products. Citrix products that do not
include or execute on these platforms are not impacted by this vulnerability.

Windows-based components of XenDesktop and XenApp are not impacted by this
issue.

- - -------------------------------------------------------------------------------

What Citrix Is Doing

Citrix is in the process of analyzing the potential impact of this issue on
currently supported products. 

- - -------------------------------------------------------------------------------

Product Details

Citrix NetScaler

NetScaler MPX and NetScaler VPX are not impacted by CVE-2018-5390,
CVE-2018-6922, CVE-2018-5391 and CVE-2018-6923

NetScaler SVM and NetScaler MAS are not impacted by CVE-2018-5390 &
CVE-2018-5391

- - -------------------------------------------------------------------------------

Citrix XenServer

Analysis of the impact of this issue on Citrix XenServer is in progress. This
section will be updated as soon as additional information is available.

- - -------------------------------------------------------------------------------

Citrix XenMobile

Analysis of the impact of this issue on Citrix XenMobile is in progress. This
section will be updated as soon as additional information is available.

- - -------------------------------------------------------------------------------

Citrix Receiver for Linux

Citrix recommends that customers apply any applicable patches to the
underlying Linux operating system.

- - -------------------------------------------------------------------------------

Citrix Linux Virtual Desktop

Citrix Linux Virtual Desktop deployments may be impacted by this operating
system vulnerability. Citrix recommends that customers apply any applicable
patches to the underlying Linux operating system.

- - -------------------------------------------------------------------------------

Citrix Licensing

Analysis of the impact of this issue on Citrix Licensing is in progress. This
section will be updated as soon as additional information is available.

- - -------------------------------------------------------------------------------

Citrix XenDesktop Volume Worker Template

Amazon Web Services based deployments use the Linux AMI template. Guidance
from Amazon about this issue can be found at the following location: 
https://aws.amazon.com/security/security-bulletins/AWS-2018-018/

- - -------------------------------------------------------------------------------

The above list will be updated as the analysis into this issue progresses.

- - -------------------------------------------------------------------------------

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at  https://www.citrix.com/support/open-a-support-case.html. 

- - -------------------------------------------------------------------------------

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document:
CTX081743 - Reporting Security Issues to Citrix

- - -------------------------------------------------------------------------------

Changelog

+--------------------+-------------------------------------------------------+
|Date                |Change                                                 |
+--------------------+-------------------------------------------------------+
|August 8th 2018     |Initial bulletin published                             |
+--------------------+-------------------------------------------------------+
|August 16th 2018    |Added CVE-2018-5391 and CVE-2018-6923 details          |
+--------------------+-------------------------------------------------------+
- - -------------------------------------------------------------------------------

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3uFrWaOgq3Tt24GAQiQdxAAw2IpVtzn2jxuLlhxKZZqDzTYzQdKbg/d
6pUvs66WlRfN+uBhdppciVto0wbKfLIwpjzWZIi5GSU4GBJgoBRP8wWITsQ0uVAw
GtGlgm9B2WXRSKIuDw9LKuetMCvCI93hbCDq7M2cM86HvAx5MrbJfoV+5tytVTww
0yrDFeDK+piRfjFg8pUfv3qm/tlwQXVxcddYTiriaFXgUUafdAkpUzpFZ06QngGb
oK1P6EPt4rUFAmZOWvEcBbt5qFGTQS4nmegaH6bY/P9Y3w3Tl4dhAMbQmK2eYuEf
5eUZ+d9SqyLkme/GqNittWEhLsV3wdVeWwGUv0P6dEZ5uuII84Yi3Tcf3aNrOtGj
1kwKwO10aARTziTA1bYkse6rLnfTAnHOMGrCe734yhQq+jYlG2AHs6c7ntBZrRs7
CrXhJgKKNp4lOSp77dU/QPmhwgjJHxHmpLNLJuS42CAw2f84UbRZqRnrHKh5aeNb
gVTmhcqH3TgB+7LvoZ6gurv1Q91P67YSSaPgetl5zkjdql00/tDxoCZN8HXFljxm
8xcQgnO7OkY4HCbqul0gRJYbBbXpifaFRlsuNP319AOjthkOEzOF7jXxyJ2NNyXd
BCwAybkSr3gSUHEnfIfQSTrUgeZXHjQRPgVtJ5xOAJ42OIVSB5ezvrxWqklf5+8Z
qxpoGWC6z58=
=pv9s
-----END PGP SIGNATURE-----

« Back to bulletins