Citrix remedies a vulnerability in several products
Citrix has released a number of updates intended to make attacking Citrix servers more difficult. According to a security advisory it may be possible to execute application-related commands on a server using prepared ICA files with the attacked user's rights. To do this, however, the user has to open this type of file or load it with the ICA browser plug-in. In the latter case, all that is required is a visit to a website. In order to launch a successful attack, the victim has to have the right to execute so-called "published applications". Also, the Citrix server has to be configured to forward additional parameters to the application.
The following software is affected:
Access Essentials 1.0
Citrix Access Essentials 1.5
Citrix Access Essentials 2.0
Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
Citrix Presentation Server 4.0 for Microsoft Windows 2000
Citrix Presentation Server 4.0 for Microsoft Windows 2003
Citrix Presentation Server 4.0 x64 Edition
Citrix Presentation Server 4.5 for Windows Server 2003
Citrix Presentation Server 4.5 for Windows Server 2003 Feature Pack 1
Citrix Presentation Server 4.5 for Windows Server 2003 x64 Edition
- Vulnerability in Citrix Presentation Server could result in unauthorized code execution, Citrix security advisory
- CITRIX: Owning the Legitimate Backdoor, Security advisory by PDP
(mba)