Description of Problem

If the Advanced Access Control option (AAC) of Access Gateway is configured to use LDAP authentication then it is possible for a user to logon without supplying valid credentials.

This vulnerability only affects AAC Version 4.2 deployments that are using LDAP authentication; Access Gateway deployments that do not include AAC are not vulnerable to this issue.

What Customers Should Do

This vulnerability is addressed by hotfix AAC420W004. Citrix recommends that any customers using AAC 4.2 with LDAP authentication install this hotfix. The hotfix can be downloaded from the following location:

http://support.citrix.com/article/CTX110439

What Citrix Is Doing

Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://support.citrix.com/.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and steps to reproduce the vulnerability.