Alerts     Sign In
Rate this Article:
You must be signed in to rate again
 Article Feedback Print View
Alternate Languages: N/A

icon representing critical update Vulnerability in Citrix Presentation Server could result in unauthorized code execution

Document ID: CTX115245   /   Created On: Nov 14, 2007   /   Updated On: Mar 28, 2008
Average Rating: 3

Severity: Medium

Description of Problem:

If an authorized user can be lured into invoking an ICA connection to Citrix Presentation Server, it may be possible for an attacker to execute unauthorized code on that server in the context of the authorized user.

ICA connections can be invoked by launching an .ICA file or by using an ICA client browser plug-in. For example, this could occur if a user visits an untrusted website or opens an untrusted e-mail attachment.

The potential implications of this attack depend on the configuration of Citrix Presentation Server. If Citrix Presentation Server is configured to:

    • Only launch published applications, without any command line parameters

      It may be possible for an attacker to lure the user into starting an application, but the attacker should not be able to exert any control over the application.

    • Only launch published applications, allowing command line parameters

    It may be possible for an attacker to lure the user to start an application with attacker specified parameters. Command line parameters are allowed if the administrator has configured the application for use with file type association or has explicitly added the correct symbols to the application command line.

    For additional notes on the appropriate published application command line configuration, please see below.

    • Launch published applications, and also allow other programs to be launched

    It may be possible for an attacker to lure the user to execute an attacker specified command on the server.

Mitigating Factors:

There are a number of mitigating factors that help prevent attacks of this type:

    • By default, Citrix Presentation Server is configured to only allow published applications to be launched. Citrix Presentation Servers configured in this way cannot be used to directly launch unauthorized code.

    • By default, Citrix Presentation Server is configured to prevent parameters being passed to published applications.

    • The target user must be authorized to launch the application that has been specified by the attacker.

    • An attacker would require prior knowledge of specific configuration details relating to the Citrix Presentation Server deployment in order to exploit this issue.

What Customers Should Do

Citrix recommends that customers:

    • Verify that their Citrix Presentation Server configuration follows best security practice; specifically, customers should verify that their Citrix Presentation Server deployments are configured to only allow published applications to be launched.

    • Inform users of the risks associated with opening ICA files of untrusted or unknown origin, for example via e-mail from untrusted sources.

    • Ensure that web browsers are configured to disallow launching of an ICA Client from untrusted web sites, for example by disabling file download in the relevant Internet Explorer zones.

    • Ensure that browser components that can launch ICA connections cannot be accessed by untrusted web sites, for example the Citrix Presentation Server Client for Windows ActiveX control.

    • Ensure that, if applications are published anonymously, they are configured in an appropriate manner.

    • Ensure that administrators take additional care since, as intended, restrictions on published application launches do not apply to administrators.

    • Review the recommendations on published application parameter usage described below

For more information on guidelines for best practice, see Citrix Security Bulletin CTX114938. This Security Bulletin can be found on the Citrix support website at the address below:

http://support.citrix.com/article/CTX114938

For Citrix Presentation Server deployments that are already configured to only allow published applications to be launched, different mitigation methods are available depending on the version of Presentation Server in use.

Citrix recommends that customers review both the guidance in this document and the Readme for any available updates.

Recommended updates

Citrix Presentation Server 4.5:

Citrix has released Hotfix Rollup Pack 2 for Citrix Presentation Server 4.5. This update mitigates the issue by changing the published application command line validation:

    • Prior to Hotfix Rollup Pack 2, the use of “%*” in the published application command line would allow the client to supply an arbitrary command line to the published application.

    • With Hotfix Rollup Pack 2 and later, the scope of “%*” has been restricted, such that only a single document filename on the client or server, or configured published content, will be permitted.

    • With Hotfix Rollup Pack 2 and later, use of “%**” allows the full range of command line parameters. This option should only be used with applications that can safely be passed a potentially untrusted command line.

    • Customers should be aware that the additional command line parameter validation included in Hotfix Rollup Pack 2 supersedes the previous mitigation involving changing the application name to make it less predictable.

Citrix Presentation Server 4.5 for Windows Server 2003:

EN - http://support.citrix.com/article/CTX116289

FR - http://support.citrix.com/article/CTX116290

DE - http://support.citrix.com/article/CTX116291

JA - http://support.citrix.com/article/CTX116292

ES - http://support.citrix.com/article/CTX116293

Citrix Presentation Server 4.5 for Windows Server 2003 x64 Editions:

EN - http://support.citrix.com/article/CTX116294

FR - http://support.citrix.com/article/CTX116295

DE - http://support.citrix.com/article/CTX116296

JA - http://support.citrix.com/article/CTX116298

ES - http://support.citrix.com/article/CTX116299

Customers that do not deploy Hotfix Rollup Pack 02 for Presentation Server 4.5 are recommended to use one of the following hotfixes. This provides an alternate mitigation by making applications names less predictable.

Citrix Presentation Server 4.5 for Windows Server 2003:

EN - http://support.citrix.com/article/CTX115275

FR - http://support.citrix.com/article/CTX115380

DE - http://support.citrix.com/article/CTX115381

JA - http://support.citrix.com/article/CTX115382

ES - http://support.citrix.com/article/CTX115384

Citrix Presentation Server 4.5 for Windows Server 2003 x64 Editions:

EN - http://support.citrix.com/article/CTX115278

FR - http://support.citrix.com/article/CTX115385

DE - http://support.citrix.com/article/CTX115386

JA - http://support.citrix.com/article/CTX115387

ES - http://support.citrix.com/article/CTX115388

Citrix Presentation Server 4.0 and earlier:

Citrix Presentation Server 4.0 for Windows 2000 Server:

EN - http://support.citrix.com/article/CTX115276

FR - http://support.citrix.com/article/CTX115393

DE - http://support.citrix.com/article/CTX115394

JA - http://support.citrix.com/article/CTX115395

ES - http://support.citrix.com/article/CTX115396

Citrix Presentation Server 4.0 for Windows Server 2003:

EN - http://support.citrix.com/article/CTX115277

FR - http://support.citrix.com/article/CTX115389

DE - http://support.citrix.com/article/CTX115390

JA - http://support.citrix.com/article/CTX115391

ES - http://support.citrix.com/article/CTX115392

Citrix Presentation Server 4.0 for Windows Server 2003 x64 Editions:

EN - http://support.citrix.com/article/CTX115611

FR - http://support.citrix.com/article/CTX115612

DE - http://support.citrix.com/article/CTX115613

JA - http://support.citrix.com/article/CTX115615

ES - http://support.citrix.com/article/CTX115614

Metaframe Presentation Server 3.0 for Windows 2000 Server:

EN - http://support.citrix.com/article/CTX115483

FR - http://support.citrix.com/article/CTX115484

DE - http://support.citrix.com/article/CTX115485

JA - http://support.citrix.com/article/CTX115487

ES - http://support.citrix.com/article/CTX115486

Metaframe Presentation Server 3.0 for Windows Server 2003:

EN - http://support.citrix.com/article/CTX115488

FR - http://support.citrix.com/article/CTX115489

DE - http://support.citrix.com/article/CTX115490

JA - http://support.citrix.com/article/CTX115492

ES - http://support.citrix.com/article/CTX115491

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Base at http://support.citrix.com/.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.


This document applies to:

  • Presentation Server 4.0 for Microsoft Windows 2000
  • MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
  • Feature Pack 1 for Presentation Server 4.5
  • Access Essentials 1.5
  • Presentation Server 4.5 for Windows Server 2003
  • Presentation Server 4.0 x64 Edition
  • Presentation Server 4.0 for Microsoft Windows 2003
  • Access Essentials 2.0
  • MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
  • Presentation Server 4.5 for Windows Server 2003 x64 Edition
  • Access Essentials 1.0
Search
Knowledge Center
Advanced Search
Presentation Server
Presentation Server Clients (ICA)
XenServer
XenDesktop
NetScaler Application Delivery
Access Gateway
EdgeSight
Provisioning Server
WANScaler
Password Manager
>> View All Products
©1999-2008 Citrix Systems, Inc. All rights reserved.