Description of Problem
A number of vulnerabilities have been identified in Citrix CloudPortal Services Manager. These vulnerabilities affect all versions of Citrix CloudPortal Services Manager, formerly known as Cortex, up to and including version 10.0 with limited release Cumulative Update 2 applied.
These vulnerabilities have been assigned the following CVE numbers:
• CVE-2013-2933: Impersonation vulnerability could allow unauthorised impersonation of other users
• CVE-2013-2934: Authentication bypass vulnerability could allow unauthenticated users access to URLs hosted in the CortexServices site
• CVE-2013-2935: Cross-site scripting vulnerability in the “Recorded Errors” view
• CVE-2013-2936: Information disclosure vulnerability could allow unauthenticated enumeration of authenticated users
• CVE-2013-2937: Information disclosure vulnerability via ASP.NET stack traces in error messages
• CVE-2013-2938: Information disclosure vulnerability via the X-AspNet-Version and X-Powered-By HTTP headers
• CVE-2013-2939: Privilege escalation vulnerability could allow a privileged user to insert malicious HTML content
• CVE-2013-2940: Authentication bypass vulnerability in CAPTCHAs
What Customers Should Do
These vulnerabilities have been addressed in Cumulative Update 3 for Citrix CloudPortal Services Manager 10.0. Citrix strongly recommends that customers apply either Cumulative Update 3 or Cumulative Update 4 to their Citrix CloudPortal Services Manager 10.0 deployment as soon as possible.
Customers using Citrix CloudPortal Services Manager 11.0 are not affected by these vulnerabilities.
Cumulative Update 4 for Citrix CloudPortal Services Manager version 10.0 can be obtained from the following location:
Customers wishing to obtain Cumulative Update 3 should contact their Citrix Support representative.
In addition to the application of Cumulative Update 3 or Cumulative Update 4, Citrix strongly recommends that customers review the documents below to resolve the following issues:
• CVE-2013-2934: CTX137412 – Restrict Access to Authorized Users for the Web Services
• CVE-2013-2937: CTX137413 – How to Turn Off Debugging Messages in CloudPortal Services Manager
Customers using versions of Citrix CloudPortal Services Manager earlier than version 10.0 must upgrade in order to remediate these issues.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contract details for Citrix Technical Support are available through your distributor.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to firstname.lastname@example.org stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.