Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

             Citrix Security Advisory for NTP Vulnerabilities
                               18 March 2015


        AusCERT Security Bulletin Summary

Product:           Citrix products
Publisher:         Citrix
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9296 CVE-2014-9295 CVE-2014-9294

Reference:         ASB-2015.0023

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix Security Advisory for NTP Vulnerabilities


Created on Jan 05, 2015 

Updated on Mar 04, 2015

Security Bulletin 

Severity : None

Description of Problem

Citrix is aware of recent vulnerability reports that impact Network Time 
Protocol (NTP) and is actively investigating the potential impact of these 
issues on Citrix products. There are a number of CVEs related to this issue, 
the current set includes:





The following sections provide some initial guidance to customers on the 
potential impact of this issue. Please note that this issue is under active 
analysis and, as such, customers should check back frequently to get the 
current status of our response.

NetScaler ADC & NetScaler Gateway

By default, NTP is disabled on the NetScaler and, as such, is not vulnerable 
to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in
deployments where customers have enabled NTP on the appliance, it is likely 
that these vulnerabilities will impact NetScaler.

Citrix is currently in the process of investigating the potential effects of 
these issues on affected NetScaler versions. As an interim mitigation for 
deployments that require NTP on NetScaler, we recommend that customers apply 
the following remediation:

Open the NetScalers ntp.conf file in /etc and add the following lines:

   restrict -4 default notrap nopeer nomodify noquery

   restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other 'restrict' directives 
should be reviewed to ensure that they contain both 'nomodify' and 'noquery' 
and that the file contains no 'crypto' directives.

When this editing is complete, save the file and copy it to the /nsconfig 
directory. The NTP service must then be restarted for the changes to take 
effect. As with all changes, Citrix recommends that this is evaluated in a 
test environment prior to releasing to production.


Some XenServer versions may include a version of ntpd that contains the 
vulnerable code. However, the NTP configuration used by XenServer results in 
these issues not being exploitable as the relevant functionality cannot be 
reached by untrusted network traffic.

XenMobile App Controller

A patch for affected versions of Citrix AppController has been released that 
address this vulnerability. This patch is available on the Citrix website at 
the following address:


Citrix recommends that customers using affected versions of App Controller 
apply this patch to their appliances as soon as their patching schedule 

Citrix CloudPlatform

The following versions of Citrix CloudPlatform are impacted by this 

   Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of 
   CloudPlatform up to and including version

   Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of 
   CloudPlatform up to and including version 4.2.1-6.

   Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of 
   CloudPlatform up to and including version 3.0.7 Patch G.

Citrix CloudPlatform 4.5 is not affected by this vulnerability.

Customers using affected versions of Citrix CloudPlatform should update their
SystemVM ISO. Download details and more informaiton on how to update the 
SystemVM ISO can be found at the following address: 

In addition to updating the SystemVM ISO, all customers should update their 
system and router virtual machine templates to the latest version. More 
information on how to obtain and upgrade these templates is available in the 
following article: https://support.citrix.com/article/CTX200024

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential 
security issue. This article is also available from the Citrix Knowledge 
Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix 
Technical Support. Contact details for Citrix Technical Support are available
at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report 
security-related issues to Citrix, please see the following document: 
CTX081743 Reporting Security Issues to Citrix


Date 			Change

January 6th 2015 	Initial bulletin publishing

January 12th 2015 	Addition of XenServer section

February 2nd 2015 	Addition of XenMobile App Controller section

March 4th 2015 		Addition of CloudPlatform section

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967