Citrix patches critical hole in Access Gateway
A vulnerability in Citrix Access Gateway opens a hole for attackers to log in without proper registration information and hence to achieve unauthorised access to applications or resources. Citrix Access Gateway is an SSL-VPN solution for connecting mobile and remote users.
According to the manufacturer, the problem arises in the interaction between the Advanced Access Control (AAC) and the LDAP authentication. Citrix declined to provide more details on the problem, but did classify it as critical. The flaw does not arise in situations where AAC is implemented without LDAP. AAC 4.2 is affected, although a hot fix is available to correct the problem.
- LDAP authentication vulnerability in Access Gateway Advanced Access Control, Advisory from Citrix