Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1557 Citrix Hypervisor Security Update 1 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor XenServer 7.1 LTSR Cumulative Update 2 XenServer Publisher: Citrix Operating System: Citrix XenServer Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-15473 Reference: ASB-2019.0060 ASB-2019.0059.2 ESB-2020.0342 ESB-2019.3015 Original Bulletin: https://support.citrix.com/article/CTX272237 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX272237 Category : Low Created : 30 Apr 2020 Modified : 30 Apr 2020 Applicable Products o Citrix Hypervisor o XenServer 7.1 LTSR Cumulative Update 2 o XenServer Description of Problem An issue has been discovered in Citrix Hypervisor that, if exploited, could potentially allow an attacker on the management network to enumerate valid administrative account usernames. Note that this attack does not disclose the corresponding passwords and does grant not access to the attacked system. This issue has the following identifier: o CVE-2018-15473 This issue affects Citrix XenServer 7.1 LTSR CU2 Mitigating Factors Customers who do not have ssh access enabled to the control domain are not affected by this issue. Customers who have not enabled Active Directory integration for administrative login will have minimal usernames exposed to attacker enumeration. What Customers Should Do A hotfix has been released to address this issue. Citrix recommends that customers running Citrix XenServer 7.1 LTSR CU2 install this hotfix as their patching schedule allows. The hotfix can be downloaded from the following location: Citrix XenServer 7.1 LTSR CU2:CTX269660 - https://support.citrix.com/article/ CTX269660 Acknowledgements Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-04-30 |Initial Publication | +--------------------------+--------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXqugyGaOgq3Tt24GAQgGMxAAyst+QRSTc9A3kkrsTnwwS8Zr678KfDdu iLsBbDjNzU7B4+GQRHwYrQ7hb8bzzbonE0YDUddHuSqsoG/X4FjWuAmkEO9HtXWD /AFURqAv4va5ORy8JoMvhDCZ7rhiCztNeTHhQobTUp5lypHvMj8AuskjKPA2uiaR SUSu+5dPJTZ8GbwNa01GYQYNxnI2damj6OF0pUBkvf92v+7GrmmhpULuhb92IycA VMU2b5FuARqZu78MgPfNgnirhp1wax2yIaqoFnIjsylt3ZNzMh1HlJ6z+JHpwjdR Aj+ZrkUVCHNMgCClO7JycAcCR5VpAfEEpo0iJT8TpVl0e3P20+1Tvk5ILilHAIza 7NLYLFQV9UiU4cd7iRgMFnrR0+lYTqL6z1SvQ3LD/sRveL5J3uUEGuvSnbH4NpX5 YkfSkH06ANHVPUh8VxKR5/0vq3GjBweTjPKOxt7rTTcfaoI89pWRQdJKLHUpJBk5 og3I0j3bJSpngNNlUU25KU6LQ63B/t5oAyUqYO811OtNkEo7xWyKxA3wyn/9RT0x fjJGtbu4iLYMxuiEwI30Az2pF6BK6wPEeJjSFxPQ5u7YQI6Yv39xsSyxCQe2djY8 +5Tdjr8z+d/+dkWcM38UcQllG+pRkeM+lVC+VVlQkGYPMHOYJdv0J9I171nf+8t5 Akg26LlZlsE= =HxJK -----END PGP SIGNATURE-----