Description of Problem
A number of vulnerabilities have been identified in a third-party component that is used by the Citrix Licensing administration console. These vulnerabilities include:
• Cross-site scripting (XSS). This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the authenticated session or other potentially sensitive information.
• Cross-site request forgery (CSRF). – This vulnerability could potentially be used by an attacker to perform actions within the web application in the same context as a legitimate user. If an administrator was accessing the web application at the time of the attack, then the attacker could potentially perform privileged operations within the web application.
• Denial of service (DoS). This vulnerability could allow an attacker with access to the web application to effectively prevent access by other legitimate users of the system.
These vulnerabilities impact all current versions of the Citrix Licensing Administration Console, formerly known as the License Management Console, prior to version 11.10.
Mitigating Factors
In order to gain unauthorized access to the administrative interface, interaction from an authorized administrator is required.
In a typical deployment, the affected components would not be widely exposed.
What Customers Should Do
These vulnerabilities have been addressed in a new version of the License Server software. Citrix recommends that affected customers upgrade their License Server to version 11.10 or later. The License Server software can be obtained from the following location:
https://www.citrix.com/English/ss/downloads/results.asp?productID=1679389
In line with established best practice, Citrix recommends that:
• The License Server environment should be configured so that only authorized administrators on a trusted network are permitted to access the Licensing Administration Console port. This can be achieved with an appropriately configured network or host-based firewall.
• When using the Licensing Administration Console, administrators should avoid visiting untrusted websites or clicking on untrusted URLs.
Customers requiring further information on specific configuration settings should contact their normal support representative.
Acknowledgements
Citrix thanks the following for working with us to protect Citrix customers:
• nSense ( http://www.nsense.net/)
• Maxim Tsoy and Kirill Mosolov of Positive Research Center ( http://www.ptsecurity.com/)
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/ .
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp .
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.