-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2008.0548 -- [Win]
                Multiple vulnerabilities in Citrix products
                                26 May 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Citrix Presentation Server versions 4.0, 4.5
                      Citrix Access Essentials versions 1.0, 1.5, 2.0
                      Citrix Desktop Server 1.0
Publisher:            Citrix
Operating System:     Windows Server 2003
                      Windows 2000
Impact:               Inappropriate Access
                      Reduced Security
Access:               Existing Account
CVE Names:            CVE-2008-2300 CVE-2008-2299

Original Bulletin:    http://support.citrix.com/article/CTX114893
                      http://support.citrix.com/article/CTX116941

Comment: This bulletin contains two Citrix advisories relating to various
         Citrix products.

- --------------------------BEGIN INCLUDED TEXT--------------------

Document ID: CTX116941
Created On: May 12, 2008
Updated On: May 13, 2008
Average Rating: 2

Severity: Medium

Description of Problem 

Citrix Presentation Server provides access control to both published
applications and published desktops. Under specific circumstances, an
authenticated user may be able to access a desktop session despite
being unauthorized to access a published desktop.

This vulnerability affects the following products:
o Citrix Presentation Server versions up to and including 4.5
    o Citrix Access Essentials versions up to and including 2.0
    o Citrix Desktop Server version 1.0

Mitigating Factors

The user must authenticate to Citrix Presentation Server for this
vulnerability to apply.

This vulnerability can be used by an authenticated user to gain access
to a desktop running in the context of their own account. It does not
allow a user to gain any additional Windows privileges, access rights
or capabilities.

What Customers Should Do

A hotfix has been released to address this issue. Citrix recommends
that affected customers install the hotfix which can be downloaded
from the following locations:

Citrix Presentation Server 4.5 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX116960
FR - http://support.citrix.com/article/CTX116962
GE - http://support.citrix.com/article/CTX116961
JA - http://support.citrix.com/article/CTX116964
ES - http://support.citrix.com/article/CTX116963

Citrix Presentation Server 4.5 for Windows Server 2003 x64 Editions:
EN - http://support.citrix.com/article/CTX116954
FR - http://support.citrix.com/article/CTX116956
GE - http://support.citrix.com/article/CTX116957
JA - http://support.citrix.com/article/CTX116959
ES - http://support.citrix.com/article/CTX116958

Citrix Presentation Server 4.0 for Windows 2000 Server:
EN - http://support.citrix.com/article/CTX116521
FR - http://support.citrix.com/article/CTX116522
GE - http://support.citrix.com/article/CTX116528
JA - http://support.citrix.com/article/CTX116529
ES - http://support.citrix.com/article/CTX116527

Citrix Presentation Server 4.0 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX116008
FR - http://support.citrix.com/article/CTX116523
GE - http://support.citrix.com/article/CTX116111
JA - http://support.citrix.com/article/CTX116009
ES - http://support.citrix.com/article/CTX116524

Citrix Access Essentials 2.0:
EN - http://support.citrix.com/article/CTX116960
FR - http://support.citrix.com/article/CTX116962
GE - http://support.citrix.com/article/CTX116961
JA - http://support.citrix.com/article/CTX116964
ES - http://support.citrix.com/article/CTX116963

Citrix Access Essentials 1.5:
EN - http://support.citrix.com/article/CTX116008
FR - http://support.citrix.com/article/CTX116523
GE - http://support.citrix.com/article/CTX116111
JA - http://support.citrix.com/article/CTX116009
ES - http://support.citrix.com/article/CTX116524

Citrix Access Essentials 1.0:
EN - http://support.citrix.com/article/CTX116008
FR - http://support.citrix.com/article/CTX116523
GE - http://support.citrix.com/article/CTX116111
JA - http://support.citrix.com/article/CTX116009
ES - http://support.citrix.com/article/CTX116524

Citrix Desktop Server 1.0 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX116548

Citrix Desktop Server 1.0 for Windows Server 2003 x64 Editions:
EN - http://support.citrix.com/article/CTX116549

What Citrix Is Doing

Citrix is notifying customers and channel partners about this
potential security issue. This article is also available from the
Citrix Knowledge Base at http://support.citrix.com/.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact
Citrix Technical Support. Information for contacting Citrix Technical
Support is available at
http://www.citrix.com/English/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. If you
would like to report a security issue to Citrix, please compose an
e-mail to secure@citrix.com containing the exact version of the
product in which the vulnerability was found and the steps needed to
reproduce the vulnerability.

This document applies to:

  * Presentation Server 4.0 for Microsoft Windows 2003
  * Access Essentials 1.5
  * Presentation Server 4.5 for Windows Server 2003
  * Presentation Server 4.0 for Microsoft Windows 2000
  * Access Essentials 2.0
  * Desktop Server 1.0
  * Feature Pack 1 for Presentation Server 4.5
  * Presentation Server 4.5 for Windows Server 2003 x64 Edition
  * Access Essentials 1.0

- -----------------------------------------------------------------

Document ID: CTX114893
Created On: May 12, 2008
Updated On: May 12, 2008
Average Rating: 5

Severity: Medium

Description of Problem 

The ICA protocol offers configurable encryption capabilities, known as
SecureICA and ICA Basic encryption, that can be used to secure traffic
between the ICA client and the server. These encryption capabilities
are distinct from SSL/TLS encryption.

Under some circumstances, a vulnerability in Citrix Presentation
Server could allow a client to establish a connection with encryption
settings that are lower than the minimum configured by the
administrator.

This does not affect the use of SSL/TLS by Citrix Presentation Server,
or any other Citrix components.

This vulnerability affects the following products:
o Citrix Presentation Server versions up to and including 4.5 when
    installed on Windows 2003 Server.
    o Citrix Access Essentials versions up to and including 2.0
    o Citrix Desktop Server 1.0

Mitigating Factors

Customers using other means of securing traffic between Citrix
Presentation Server and its clients are not affected by this
vulnerability. Such methods include Citrix SSL Relay, Citrix Secure
Gateway, Citrix Access Gateway Standard, Advanced or Enterprise
Edition

As best practice, Citrix already recommends the use of additional
security technologies to their deployments due to limitations in
SecureICA and Citrix Basic encryption. This is documented in articles
CTX101737 and CTX155541.

What Customers Should Do

A hotfix has been released to address this issue. Citrix recommends
that customers affected by this issue install the hotfix, which can be
downloaded from the locations listed below.

Citrix Presentation Server 4.5 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX116289
FR - http://support.citrix.com/article/CTX116290
GE - http://support.citrix.com/article/CTX116291
JA - http://support.citrix.com/article/CTX116292
ES - http://support.citrix.com/article/CTX116293

Citrix Presentation Server 4.5 for Windows Server 2003 x64 Editions:
EN - http://support.citrix.com/article/CTX116294
FR - http://support.citrix.com/article/CTX116295
GE - http://support.citrix.com/article/CTX116296
JA - http://support.citrix.com/article/CTX116298
ES - http://support.citrix.com/article/CTX116299

Citrix Presentation Server 4.0 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX113484
FR - http://support.citrix.com/article/CTX113778
GE - http://support.citrix.com/article/CTX113779
JA - http://support.citrix.com/article/CTX113781
ES - http://support.citrix.com/article/CTX113780

Citrix Access Essentials 2.0:
EN - http://support.citrix.com/article/CTX116289
FR - http://support.citrix.com/article/CTX116290
GE - http://support.citrix.com/article/CTX116291
JA - http://support.citrix.com/article/CTX116292
ES - http://support.citrix.com/article/CTX116293

Citrix Access Essentials 1.5:
EN - http://support.citrix.com/article/CTX113484
FR - http://support.citrix.com/article/CTX113778
GE - http://support.citrix.com/article/CTX113779
JA - http://support.citrix.com/article/CTX113781
ES - http://support.citrix.com/article/CTX113780

Citrix Access Essentials 1.0:
EN - http://support.citrix.com/article/CTX113484
FR - http://support.citrix.com/article/CTX113778
GE - http://support.citrix.com/article/CTX113779
JA - http://support.citrix.com/article/CTX113781
ES - http://support.citrix.com/article/CTX113780

Citrix Desktop Server 1.0 for Windows Server 2003:
EN - http://support.citrix.com/article/CTX116805

What Citrix Is Doing

Citrix is notifying customers and channel partners about this
potential security issue. This article is also available from the
Citrix Knowledge Base at http://support.citrix.com/.

Obtaining Support on this Issue

If you require technical assistance with this issue, please contact
Citrix Technical Support. Information for contacting Citrix Technical
Support is available at
http://www.citrix.com/English/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. If you
would like to report a security issue to Citrix, please compose an
e-mail to secure@citrix.com containing the exact version of the
product in which the vulnerability was found and the steps needed to
reproduce the vulnerability.

This document applies to:

  * Presentation Server 4.0 for Microsoft Windows 2003
  * Access Essentials 1.5
  * Presentation Server 4.5 for Windows Server 2003
  * Access Essentials 2.0
  * Desktop Server 1.0
  * Feature Pack 1 for Presentation Server 4.5
  * Presentation Server 4.5 for Windows Server 2003 x64 Edition
  * Access Essentials 1.0

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSDpX2Sh9+71yA2DNAQKNzwP9EQCMgHIrGnpE8eQ9Sd7ouUhmTi4ukeef
nVqBFlwIMo4pY8/gd822CjDSQyUogCeWH9clzhbak/JLWmnislkbcxTqKnMRugZE
7Lb7uJsSk2aAnVP1FRx2ty1io79eYpfvuQSiiHNyeQIJ15n8EUXo+2GUDRefzBu4
BWW/si1PJCo=
=AG5L
-----END PGP SIGNATURE-----