MetaFrame Password Manager "reveal password" policy bypass
Article ID: CTX105800
Updated On:
Description
Description of Problem
Citrix MetaFrame Password Manager allows administrators to control which users can view their own secondary passwords. Versions 2.5 and earlier allow users to view their secondary passwords even if they should be prohibited from doing so by the administrator defined policy.
When viewing configured applications the password field is displayed to the user as a series of asterisks; it is possible for the user to run a password viewing tool that can extract the clear text password from this field.
Mitigating Factors
Users can only use this vulnerability to view their own secondary application passwords; this vulnerability does not allow users or administrators to view other users’ stored passwords.
In order to exploit this vulnerability a user would have to be able to execute a third party tool on the same host that the MetaFrame Password Manager agent is installed on. If the MetaFrame Password Manager agent is installed in a locked-down client or MetaFrame Presentation Server environment then users may be prevented from executing third-party tools; in this scenario the vulnerability could not be exploited.
What Customers Should Do
This issue has been fixed by hotfix MPM250W006. Customers that are concerned about this vulnerability should apply this hotfix; it can be downloaded from the following location:
http://support.citrix.com/kb/entry.jspa?externalID=CTX105762
What Citrix Is Doing
Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://support.citrix.com/.
Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and steps to reproduce the vulnerability.
