Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0662 Citrix Security Advisory for NTP Vulnerabilities 18 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix products Publisher: Citrix Operating System: UNIX variants (UNIX, Linux, OSX) Windows Virtualisation Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-9296 CVE-2014-9295 CVE-2014-9294 CVE-2014-9293 Reference: ASB-2015.0023 ASB-2015.0003 ESB-2015.0535 ESB-2015.0422 ESB-2015.0363 ASB-2014.0145 Original Bulletin: https://support.citrix.com/article/CTX200355 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Security Advisory for NTP Vulnerabilities CTX200355 Created on Jan 05, 2015 Updated on Mar 04, 2015 Security Bulletin Severity : None Description of Problem Citrix is aware of recent vulnerability reports that impact Network Time Protocol (NTP) and is actively investigating the potential impact of these issues on Citrix products. There are a number of CVEs related to this issue, the current set includes: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 The following sections provide some initial guidance to customers on the potential impact of this issue. Please note that this issue is under active analysis and, as such, customers should check back frequently to get the current status of our response. NetScaler ADC & NetScaler Gateway By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler. Citrix is currently in the process of investigating the potential effects of these issues on affected NetScaler versions. As an interim mitigation for deployments that require NTP on NetScaler, we recommend that customers apply the following remediation: Open the NetScalers ntp.conf file in /etc and add the following lines: restrict -4 default notrap nopeer nomodify noquery restrict -6 default notrap nopeer nomodify noquery In addition to adding the above two lines, all other 'restrict' directives should be reviewed to ensure that they contain both 'nomodify' and 'noquery' and that the file contains no 'crypto' directives. When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production. XenServer Some XenServer versions may include a version of ntpd that contains the vulnerable code. However, the NTP configuration used by XenServer results in these issues not being exploitable as the relevant functionality cannot be reached by untrusted network traffic. XenMobile App Controller A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address: https://support.citrix.com/article/CTX142031 Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows. Citrix CloudPlatform The following versions of Citrix CloudPlatform are impacted by this vulnerability: Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2. Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6. Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including version 3.0.7 Patch G. Citrix CloudPlatform 4.5 is not affected by this vulnerability. Customers using affected versions of Citrix CloudPlatform should update their SystemVM ISO. Download details and more informaiton on how to update the SystemVM ISO can be found at the following address: https://support.citrix.com/article/CTX200459 In addition to updating the SystemVM ISO, all customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: https://support.citrix.com/article/CTX200024 What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 Reporting Security Issues to Citrix Changelog Date Change January 6th 2015 Initial bulletin publishing January 12th 2015 Addition of XenServer section February 2nd 2015 Addition of XenMobile App Controller section March 4th 2015 Addition of CloudPlatform section - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVQjg1hLndAQH1ShLAQIGDQ/9FiV0pZTtZS2tJzS62zpDLjWjamAbB8OH XenyK3JvV6kBGXgHZNbZUk3kP790Og8hHIzNtwicBiUGsO9lpW9ylnYimzcopv0m fJJZGph7WSaFa+ZBsUbFmN9rNflNg+ximuk+B7w47iFAnpORH2b0wbe1rsDQjFjN MYb7hcgc8M5Eqkn1sX7Vp08f1wuX1I10d7ek6jhku1CstThswYkkdeNkx8R4RiC6 sZOlkjQLQiD02us057xyjS9izGMg3s2dsheGCJ6k9KPMvSL8rQldwFxPYfn2qHV1 p4orTNO32zXOWIiXRCntZuF6hty5a55nyB0PTaxzlADKm2kA8KmO/OEBSYiVX5WV TF5p3sawaXa6ZagrHRcCI6Cgm5CSe2riDHk5SfMF/QCPQlhYiXdJmt/O8n29/1XJ Enm5fxEhDJ8PDvqYgICh6b40NgqSk5hmsN4/gel79YXUmPaqjkthP4UHTswUPDM8 po2IfuYqPjJwhiuqyorld071Nmw2LqulmSCqDBv4TSsuCzAWxnRUqvwJdKsCD25Z en85+FDonS4Dr4XXJbpDLqJE1eC/+ZxV9QB+FWPc0/3HAUVIiaWfXDPl5IdmhQRy +UAK0zh1ymgRflfrfiFxEQVvxS+F9WaaLuMfiD4n3TdZv8Tda/PUxUr0v0tD9xGE 5WxODhrqlBE= =bDKq -----END PGP SIGNATURE-----