Type of Vulnerability – Disclosure of authentication information

Affected Products:

• MetaFrame Password Manager 2.0

Platforms Affected: All

Languages Affected: All

Severity: Medium

Description of Problem

Application passwords entered immediately after the First Time Use Wizard may not be correctly encrypted.

Detailed Description

Under some circumstances, application passwords are stored encoded, but not encrypted.

This issue only arises if both of the following apply:

• Application passwords are entered immediately after the First Time Use Wizard. Application passwords entered during the First Time Use Wizard are not affected.

• No sync point has been defined. A sync point should always be defined for production configurations.

Any attempt to use such a password will fail, so this circumstance is detectable.

Application passwords entered subsequently are not affected.

What Customers Should Do

All customers are recommended to apply hotfix MPME200W001, available here:

Hotfix MPME200W001 - For MetaFrame Password Manager 2.0 - English

What Citrix Is Doing

Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://www.citrix.com/support.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://www.citrix.com/support.