-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Citrix Security Advisory for NTP Vulnerabilities
18 March 2015
AusCERT Security Bulletin Summary
Product: Citrix products
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
CVE Names: CVE-2014-9296 CVE-2014-9295 CVE-2014-9294
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Security Advisory for NTP Vulnerabilities
Created on Jan 05, 2015
Updated on Mar 04, 2015
Severity : None
Description of Problem
Citrix is aware of recent vulnerability reports that impact Network Time
Protocol (NTP) and is actively investigating the potential impact of these
issues on Citrix products. There are a number of CVEs related to this issue,
the current set includes:
The following sections provide some initial guidance to customers on the
potential impact of this issue. Please note that this issue is under active
analysis and, as such, customers should check back frequently to get the
current status of our response.
NetScaler ADC & NetScaler Gateway
By default, NTP is disabled on the NetScaler and, as such, is not vulnerable
to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in
deployments where customers have enabled NTP on the appliance, it is likely
that these vulnerabilities will impact NetScaler.
Citrix is currently in the process of investigating the potential effects of
these issues on affected NetScaler versions. As an interim mitigation for
deployments that require NTP on NetScaler, we recommend that customers apply
the following remediation:
Open the NetScalers ntp.conf file in /etc and add the following lines:
restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery
In addition to adding the above two lines, all other 'restrict' directives
should be reviewed to ensure that they contain both 'nomodify' and 'noquery'
and that the file contains no 'crypto' directives.
When this editing is complete, save the file and copy it to the /nsconfig
directory. The NTP service must then be restarted for the changes to take
effect. As with all changes, Citrix recommends that this is evaluated in a
test environment prior to releasing to production.
Some XenServer versions may include a version of ntpd that contains the
vulnerable code. However, the NTP configuration used by XenServer results in
these issues not being exploitable as the relevant functionality cannot be
reached by untrusted network traffic.
XenMobile App Controller
A patch for affected versions of Citrix AppController has been released that
address this vulnerability. This patch is available on the Citrix website at
the following address:
Citrix recommends that customers using affected versions of App Controller
apply this patch to their appliances as soon as their patching schedule
The following versions of Citrix CloudPlatform are impacted by this
Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of
CloudPlatform up to and including version 126.96.36.199.
Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of
CloudPlatform up to and including version 4.2.1-6.
Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of
CloudPlatform up to and including version 3.0.7 Patch G.
Citrix CloudPlatform 4.5 is not affected by this vulnerability.
Customers using affected versions of Citrix CloudPlatform should update their
SystemVM ISO. Download details and more informaiton on how to update the
SystemVM ISO can be found at the following address:
In addition to updating the SystemVM ISO, all customers should update their
system and router virtual machine templates to the latest version. More
information on how to obtain and upgrade these templates is available in the
following article: https://support.citrix.com/article/CTX200024
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document:
CTX081743 Reporting Security Issues to Citrix
January 6th 2015 Initial bulletin publishing
January 12th 2015 Addition of XenServer section
February 2nd 2015 Addition of XenMobile App Controller section
March 4th 2015 Addition of CloudPlatform section
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----