Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0662
Citrix Security Advisory for NTP Vulnerabilities
18 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix products
Publisher: Citrix
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Virtualisation
Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-9296 CVE-2014-9295 CVE-2014-9294
CVE-2014-9293
Reference: ASB-2015.0023
ASB-2015.0003
ESB-2015.0535
ESB-2015.0422
ESB-2015.0363
ASB-2014.0145
Original Bulletin:
https://support.citrix.com/article/CTX200355
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Security Advisory for NTP Vulnerabilities
CTX200355
Created on Jan 05, 2015
Updated on Mar 04, 2015
Security Bulletin
Severity : None
Description of Problem
Citrix is aware of recent vulnerability reports that impact Network Time
Protocol (NTP) and is actively investigating the potential impact of these
issues on Citrix products. There are a number of CVEs related to this issue,
the current set includes:
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295
CVE-2014-9296
The following sections provide some initial guidance to customers on the
potential impact of this issue. Please note that this issue is under active
analysis and, as such, customers should check back frequently to get the
current status of our response.
NetScaler ADC & NetScaler Gateway
By default, NTP is disabled on the NetScaler and, as such, is not vulnerable
to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in
deployments where customers have enabled NTP on the appliance, it is likely
that these vulnerabilities will impact NetScaler.
Citrix is currently in the process of investigating the potential effects of
these issues on affected NetScaler versions. As an interim mitigation for
deployments that require NTP on NetScaler, we recommend that customers apply
the following remediation:
Open the NetScalers ntp.conf file in /etc and add the following lines:
restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery
In addition to adding the above two lines, all other 'restrict' directives
should be reviewed to ensure that they contain both 'nomodify' and 'noquery'
and that the file contains no 'crypto' directives.
When this editing is complete, save the file and copy it to the /nsconfig
directory. The NTP service must then be restarted for the changes to take
effect. As with all changes, Citrix recommends that this is evaluated in a
test environment prior to releasing to production.
XenServer
Some XenServer versions may include a version of ntpd that contains the
vulnerable code. However, the NTP configuration used by XenServer results in
these issues not being exploitable as the relevant functionality cannot be
reached by untrusted network traffic.
XenMobile App Controller
A patch for affected versions of Citrix AppController has been released that
address this vulnerability. This patch is available on the Citrix website at
the following address:
https://support.citrix.com/article/CTX142031
Citrix recommends that customers using affected versions of App Controller
apply this patch to their appliances as soon as their patching schedule
allows.
Citrix CloudPlatform
The following versions of Citrix CloudPlatform are impacted by this
vulnerability:
Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of
CloudPlatform up to and including version 4.3.0.2.
Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of
CloudPlatform up to and including version 4.2.1-6.
Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of
CloudPlatform up to and including version 3.0.7 Patch G.
Citrix CloudPlatform 4.5 is not affected by this vulnerability.
Customers using affected versions of Citrix CloudPlatform should update their
SystemVM ISO. Download details and more informaiton on how to update the
SystemVM ISO can be found at the following address:
https://support.citrix.com/article/CTX200459
In addition to updating the SystemVM ISO, all customers should update their
system and router virtual machine templates to the latest version. More
information on how to obtain and upgrade these templates is available in the
following article: https://support.citrix.com/article/CTX200024
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at http://www.citrix.com/site/ss/supportContacts.asp.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document:
CTX081743 Reporting Security Issues to Citrix
Changelog
Date Change
January 6th 2015 Initial bulletin publishing
January 12th 2015 Addition of XenServer section
February 2nd 2015 Addition of XenMobile App Controller section
March 4th 2015 Addition of CloudPlatform section
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVQjg1hLndAQH1ShLAQIGDQ/9FiV0pZTtZS2tJzS62zpDLjWjamAbB8OH
XenyK3JvV6kBGXgHZNbZUk3kP790Og8hHIzNtwicBiUGsO9lpW9ylnYimzcopv0m
fJJZGph7WSaFa+ZBsUbFmN9rNflNg+ximuk+B7w47iFAnpORH2b0wbe1rsDQjFjN
MYb7hcgc8M5Eqkn1sX7Vp08f1wuX1I10d7ek6jhku1CstThswYkkdeNkx8R4RiC6
sZOlkjQLQiD02us057xyjS9izGMg3s2dsheGCJ6k9KPMvSL8rQldwFxPYfn2qHV1
p4orTNO32zXOWIiXRCntZuF6hty5a55nyB0PTaxzlADKm2kA8KmO/OEBSYiVX5WV
TF5p3sawaXa6ZagrHRcCI6Cgm5CSe2riDHk5SfMF/QCPQlhYiXdJmt/O8n29/1XJ
Enm5fxEhDJ8PDvqYgICh6b40NgqSk5hmsN4/gel79YXUmPaqjkthP4UHTswUPDM8
po2IfuYqPjJwhiuqyorld071Nmw2LqulmSCqDBv4TSsuCzAWxnRUqvwJdKsCD25Z
en85+FDonS4Dr4XXJbpDLqJE1eC/+ZxV9QB+FWPc0/3HAUVIiaWfXDPl5IdmhQRy
+UAK0zh1ymgRflfrfiFxEQVvxS+F9WaaLuMfiD4n3TdZv8Tda/PUxUr0v0tD9xGE
5WxODhrqlBE=
=bDKq
-----END PGP SIGNATURE-----