This article describes how to determine if a XenDesktop Site is affected by the vulnerability described in CTX138627: Vulnerability in XenDesktop 7.0 Upgrade Could Result in Policy Bypass and the steps to take to reset the permissions on the policy rules.

Background

When upgrading from XenDesktop 5 (any minor version) to XenDesktop 7.0, configuration changes are made to the Site that result in all users being granted access to all Delivery Groups.

---

Instructions

Determining if a Site is affected

In order to determine if a Site is affected by this vulnerability, log into any Delivery Controller in the Site as a full XenDesktop administrator and run the following commands from a PowerShell prompt:

Add-PsSnapin Citrix.Broker.Admin.V2
Get-BrokerAccessPolicyRule –AllowedUsers AnyAuthenticated

If no direct modifications to the Site with PowerShell have been made (as opposed to using Citrix Studio to manage the Site) and there is any output from the second command, then the Site is vulnerable and the steps in the next section should be followed.

If direct modifications have been made to the system with PowerShell, then the output from the second command should be manually reviewed.

Securing a vulnerable Site

If a Site has been determined to be vulnerable, log into any Controller in the Site as a full XenDesktop administrator and run the following commands from a PowerShell prompt:

Add-PsSnapin Citrix.Broker.Admin.V2
Get-BrokerAccessPolicyRule –AllowedUsers AnyAuthenticated | Set-BrokerAccessPolicyRule –AllowedUsers Filtered

Note that the first command is not necessary if the same PowerShell prompt was used to determine if the Site is vulnerable.

Possible side-effects

Citrix does not believe that the preceding steps will have any side-effects if the Site has been managed solely with Citrix Studio. If direct modifications have been made to the Site with PowerShell, then it is possible that the preceding commands will cause some users to lose access to resources (either applications or desktops).

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Using PowerShell to Reset BrokerAccessPolicyRule Settings