02 June 2016
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1396 Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration 2 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix XenDesktop Publisher: Citrix Operating System: Windows Virtualisation Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-4810 Original Bulletin: http://support.citrix.com/article/CTX213045 - --------------------------BEGIN INCLUDED TEXT-------------------- CTX213045 Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration Security Bulletin Medium Created: 31 May 2016 Modified: 31 May 2016 Description of Problem A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller. This vulnerability affects the following product versions: Citrix XenDesktop 7.x between versions 7.0 and 7.6 inclusive, including 7.6 Long Term Service Release (LTSR) Citrix XenApp versions 7.5 and 7.6 Citrix Studio for Citrix XenApp and XenDesktop versions 7.7 and later are not affected by this vulnerability. Citrix XenDesktop 5.6 and earlier, and Citrix XenApp 6.x and earlier, are not affected by this vulnerability. This vulnerability has been assigned the following CVE number: CVE-2016-4810: Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration. Mitigating Factors Access policy rules that have not been edited from their default are not affected by this vulnerability. What Customers Should Do Citrix has releas Citrix Studio 7.6.1000 or later Customers using Citrix XenDesktop 7.6 LTSR should apply Cumulative Update 1 (CU1). This new version can be downloaded from the following location: https://www.citrix.com/downloads/xendesktop.html In addition to upgrading to a version of Citrix Studio that contains the fix for this issue, Citrix also recommends that all customers review their current Access Policy rules to ensure that they reflect the intended configuration. More information on how to accomplish this using the associated PowerShell script can be found in the following Knowledge Center article: https://support.citrix.com/article/ctx213417 What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 Reporting Security Issues to Citrix Applicable Products XenDesktop 5.6 XenDesktop 7 XenDesktop 7.1 XenDesktop 7.5 XenDesktop 7.6 XenDesktop 7.6 Feature Pack 3 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV0/D64x+lLeg9Ub1AQgA4Q/+IS8wSBV85OIo//YdR8L5k7oN2uWnZP5m Vjo58UxtxYwnNUoChitzw1N8OwgtCQNRs2Ln3fM9FGumD2OsVwVln7avH+EKaUFO yfWRew+JBVD44dshibQ6lBbw5et9K65Et5OFXJu4xW4+N7mv2StdNTX9gtzmjiFW QZfLZZvbFUK0IA/EcN/oaBVFiUzhjt8gEZ9DpWRnYs5dpNBdveZ3fNyiR6IMLyJO GaxDlLF517LpcNDBoAk8c7PQ8HnFGKUmauKF588u4a0iXqPbXmJA6QPR14rOcAUT J9ujCqDaf1EWon4KFIeb4UjitjiHDpG8HbdDmvl8Rsy7np30mebiIgWRInWXAkuF S+vagbl+h8GeFQaex3tu0v8vRiPoUtXMC13V6RKu3IIFbIqCXJ18PLjlOCoaQmsN x5A+SsIHsEDR1SGbcEv1yAQtx/+JXw10v2SgZ/tABr4fxN5hdRRp7IgOhPG1DmsM nknFHbyGvkbQdE13yH8dncRzmWyjZtJvTd5AkFW0V0P7PMIdgNdFDRmEj8cKOWg3 t2rpT2hH2/EqZznYaMmGg7yK+GZj4h9E6dunui9ftCPGcfwohnj43kaDSgpelDro ykRbKzao0pyAPSRdokSDUg+USQT21GVYSG2bJ4RjStdptwTf12ZApXcGUeuibQ6P FjdAQ63z/DM= =MVoP -----END PGP SIGNATURE-----