-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0163
  Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
                              15 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix XenServer
                   Citrix NetScaler
Publisher:         Citrix
Operating System:  Windows
                   Network Appliance
Impact/Access:     Access Privileged Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2018.0009
                   ESB-2018.0137
                   ESB-2018.0136
                   ESB-2018.0135
                   ASB-2018.0002.4

Original Bulletin: 
   https://support.citrix.com/article/CTX231399

- --------------------------BEGIN INCLUDED TEXT--------------------

CTX231399

Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Security Bulletin

Modified: 14 Jan 2018

Overview

A new class of issues has been identified in common CPU architectures. The 
presently known issues could allow unprivileged code to read privileged memory
locations.

Citrix is analysing the potential impact of these issues across its product 
range. This bulletin will be updated as further information becomes available
on the impacts of these issues and their variants.

Please note that, although these are issues in the underlying processor 
hardware, Citrix intends to provide software updates, together with our 
partners, to mitigate these issues where practical.

Please review the following sections for information on your specific Citrix 
products. This bulletin will be updated as more information becomes available.
Customers can receive e-mail notifications about updated or new security 
bulletins by subscribing at the following address: 
https://support.citrix.com/user/alerts

Products that we believe are not impacted:

Citrix XenMobile Server: Citrix believes that currently supported versions of
Citrix XenMobile Server are not impacted by the presently known variants of 
these issues.

Citrix XenMobile MDX Toolkit and SDK: Citrix believes that currently supported
versions of Citrix XenMobile MDX Toolkit and SDK are not impacted by the 
presently known variants of these issues.

Citrix NetScaler (MPX/VPX): Citrix believes that currently supported versions
of Citrix NetScaler MPX and VPX are not impacted by the presently known 
variants of these issues.

Citrix NetScaler AppFirewall Platforms: Citrix believes that currently 
supported versions of Citrix NetScaler AppFirewall Platforms are not impacted
by the presently known variants of these issues.

Citrix NetScaler Insight Center: Citrix believes that currently supported 
versions of Citrix NetScaler Insight Center are not impacted by the presently
known variants of these issues.

Citrix NetScaler SD-WAN (Standard. Enterprise, WAN Optimization (except 
1000WS/2000WS platform) editions) / SD-WAN Center: Citrix believes that 
currently supported versions of Citrix NetScaler SD-WAN are not impacted by 
the presently known variants of these issues.

Citrix ShareFile StorageZones Controller: Citrix believes that currently 
supported versions of Citrix ShareFile StorageZones Controller are not 
impacted by the presently known variants of these issues.

Citrix License Server: Citrix believes that currently supported versions of 
Citrix License Server are not impacted by the presently known variants of 
these issues.

Citrix StoreFront: Citrix believes that currently supported versions of Citrix
StoreFront are not impacted by the presently known variants of these issues.

Citrix App Orchestration: Citrix believes that currently supported versions of
Citrix App Orchestration are not impacted by the presently known variants of 
these issues.

Citrix App Layering: Citrix believes that currently supported versions of 
Citrix App Layering are not impacted by the presently known variants of these
issues.

Products that may require Third Party updates:

Citrix XenApp/XenDesktop: Citrix believes that currently supported versions of
the core Citrix XenApp and XenDesktop products are not impacted by presently 
known variants of these issues. However, it is probable that the underlying 
operating system, drivers and CPU firmware will require updating. Citrix 
strongly recommends that customers contact their operating system and hardware
vendors for information on how to obtain these updates.

Citrix Provisioning Services: Citrix believes that currently supported 
versions of Citrix Provisioning Services products are not impacted by 
presently known variants of these issues. However, it is probable that the 
underlying operating system, drivers and CPU firmware will require updating. 
Citrix strongly recommends that customers contact their operating system and 
hardware vendors for information on how to obtain these updates.

Citrix AppDNA: Citrix believes that currently supported versions of Citrix 
AppDNA are not impacted by presently known variants of these issues. However,
it is probable that the underlying operating system, drivers and CPU firmware
will require updating. Citrix strongly recommends that customers contact their
operating system and hardware vendors for information on how to obtain these 
updates.

Citrix Linux VDA: Citrix believes that currently supported versions of Citrix
Linux VDA are not impacted by presently known variants of these issues. 
However, it is probable that the underlying operating system, drivers and CPU
firmware will require updating. Citrix strongly recommends that customers 
contact their operating system and hardware vendors for information on how to
obtain these updates.

Citrix XenMobile Worx components: Citrix believes that currently supported 
versions of Citrix XenMobile Worx components are not impacted by presently 
known variants of these issues. However, it is probable that the underlying 
operating system, drivers and CPU firmware will require updating. Citrix 
strongly recommends that customers contact their operating system and hardware
vendors for information on how to obtain these updates.

Citrix ShareFile Clients on Desktop and Mobile: Citrix believes that currently
supported versions Citrix ShareFile Clients are not impacted by presently 
known variants of these issues. However, it is probable that the underlying 
operating system, drivers and CPU firmware will require updating. Citrix 
strongly recommends that customers contact their operating system and hardware
vendors for information on how to obtain these updates.

Citrix Receivers for Desktop and Mobile: Citrix believes that currently 
supported versions of Citrix Receivers are not impacted by presently known 
variants of these issues. However, it is probable that the underlying 
operating system, drivers and CPU firmware will require updating. Citrix 
strongly recommends that customers contact their operating system and hardware
vendors for information on how to obtain these updates.

ByteMobile products: When deployed in line with Citrix recommendations, Citrix
believes that currently supported versions of ByteMobile products are not 
impacted by the presently known variants of these issues. However, Citrix 
strongly recommends that customers using virtualized installations of 
ByteMobile products contact their Citrix ByteMobile Telco Support contact for
potential mitigations steps and further information.

Products that we believe are impacted:

Citrix NetScaler SDX: Citrix believes that currently supported versions of 
Citrix NetScaler SDX are not at risk from malicious network traffic. However,
in light of these issues, Citrix strongly recommends that customers only 
deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins
are trusted.

Citrix NetScaler SD-WAN (WANOpt1000WS/2000WS): When deployed in environments 
with only trusted administrators, Citrix believes that currently supported WAN
Optimization versions of Citrix SD-WAN on 1000WS/2000WS platforms are not at 
risk from malicious network traffic. Citrix strongly recommends that Citrix 
SD-WAN 1000WS and 2000WS administrators ensure that access to the [Citrix 
supplied Windows VM] is limited to trusted administrators only

Citrix XenServer: Please see https://support.citrix.com/article/ctx231390 for
information on Citrix XenServer

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential 
security issue. This article is also available from the Citrix Knowledge 
Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix 
Technical Support. Contact details for Citrix Technical Support are available
at https://www.citrix.com/support/open-a-support-case.html.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report 
security-related issues to Citrix, please see the following document: 
CTX081743 Reporting Security Issues to Citrix

Changelog

Date 			Change

3rd January 2018 	Initial publishing

3rd January 2018 	Updated immediately after embargo expiry

4th January 2018 	Updated to include XenServer

5th January 2018 	Expanded product coverage

9th January 2018 	Updated product coverage

11th January 2018	Added information for ByteMobile products

14th January 2018 	Added information for NetScaler SD-WAN

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlwdM4x+lLeg9Ub1AQikKRAAgjTfsgrbvgw1jk24bI7C25RbBHzbFraf
8QdNxEn3CG7MYHu9OeTcys5TEmxzIDcuyVTcYsB70/EJcmtw6OJk0D2BYMbDRY9T
lVHQqsscIWbnjpi61eGfAGtwTn33xnPJck4YAdrx0BIDcAgHBiOdZwg5DnZ9b31q
AuhsyhSsPg/JLSguWzXEKBl/ke9j5sFwbyG8387UbeA8uSy6i7x1r8DfQr7qOfq5
ZizAZ008U+rng7pWm6EmqSqnQ/m1wGRzPiwtL4IBlqYgypJPdFeFULruJOFO7WaR
Wml8gz8Klr9EqNluyFrAeyDz1cx3v7SD/TOFf8wntty2bET2EkoLycvqMDTo2yDv
Zbcx6oA5x2knzXEEmJ6+4/bFGFSazIvWQt0wsa9xx74wqplrlOVIlXENAOYf9uZ5
6ttLR28Hg/p8xPPEl8/MC5OpoyuJVgAP288ZuO8O1CyM1cpcySxQ8TvYeng05K7d
hrcyt1ve/r4oLsZmLIuHroSJ66gf6D+mVj6zMWvf2iK1aUEqbBhM8w0tpm9pFBEU
upd2QwEWjEItbS7DqzdCXT+/jCp86eNcb+FpY6OlbVpd3xAYe9liD9LyuSLEVssa
YZXSq9zPMYS8ML8RXN8b2rYUpBeS2xjpBqyt3S1LcGKZ274CqMDHg4AkdryLTTcE
JC3CZ2A05kI=
=/ZxK
-----END PGP SIGNATURE-----