Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0163 Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 15 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix XenServer Citrix NetScaler Publisher: Citrix Operating System: Windows Network Appliance Impact/Access: Access Privileged Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0009 ESB-2018.0137 ESB-2018.0136 ESB-2018.0135 ASB-2018.0002.4 Original Bulletin: https://support.citrix.com/article/CTX231399 - --------------------------BEGIN INCLUDED TEXT-------------------- CTX231399 Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 Security Bulletin Modified: 14 Jan 2018 Overview A new class of issues has been identified in common CPU architectures. The presently known issues could allow unprivileged code to read privileged memory locations. Citrix is analysing the potential impact of these issues across its product range. This bulletin will be updated as further information becomes available on the impacts of these issues and their variants. Please note that, although these are issues in the underlying processor hardware, Citrix intends to provide software updates, together with our partners, to mitigate these issues where practical. Please review the following sections for information on your specific Citrix products. This bulletin will be updated as more information becomes available. Customers can receive e-mail notifications about updated or new security bulletins by subscribing at the following address: https://support.citrix.com/user/alerts Products that we believe are not impacted: Citrix XenMobile Server: Citrix believes that currently supported versions of Citrix XenMobile Server are not impacted by the presently known variants of these issues. Citrix XenMobile MDX Toolkit and SDK: Citrix believes that currently supported versions of Citrix XenMobile MDX Toolkit and SDK are not impacted by the presently known variants of these issues. Citrix NetScaler (MPX/VPX): Citrix believes that currently supported versions of Citrix NetScaler MPX and VPX are not impacted by the presently known variants of these issues. Citrix NetScaler AppFirewall Platforms: Citrix believes that currently supported versions of Citrix NetScaler AppFirewall Platforms are not impacted by the presently known variants of these issues. Citrix NetScaler Insight Center: Citrix believes that currently supported versions of Citrix NetScaler Insight Center are not impacted by the presently known variants of these issues. Citrix NetScaler SD-WAN (Standard. Enterprise, WAN Optimization (except 1000WS/2000WS platform) editions) / SD-WAN Center: Citrix believes that currently supported versions of Citrix NetScaler SD-WAN are not impacted by the presently known variants of these issues. Citrix ShareFile StorageZones Controller: Citrix believes that currently supported versions of Citrix ShareFile StorageZones Controller are not impacted by the presently known variants of these issues. Citrix License Server: Citrix believes that currently supported versions of Citrix License Server are not impacted by the presently known variants of these issues. Citrix StoreFront: Citrix believes that currently supported versions of Citrix StoreFront are not impacted by the presently known variants of these issues. Citrix App Orchestration: Citrix believes that currently supported versions of Citrix App Orchestration are not impacted by the presently known variants of these issues. Citrix App Layering: Citrix believes that currently supported versions of Citrix App Layering are not impacted by the presently known variants of these issues. Products that may require Third Party updates: Citrix XenApp/XenDesktop: Citrix believes that currently supported versions of the core Citrix XenApp and XenDesktop products are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix Provisioning Services: Citrix believes that currently supported versions of Citrix Provisioning Services products are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix AppDNA: Citrix believes that currently supported versions of Citrix AppDNA are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix Linux VDA: Citrix believes that currently supported versions of Citrix Linux VDA are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix XenMobile Worx components: Citrix believes that currently supported versions of Citrix XenMobile Worx components are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix ShareFile Clients on Desktop and Mobile: Citrix believes that currently supported versions Citrix ShareFile Clients are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. Citrix Receivers for Desktop and Mobile: Citrix believes that currently supported versions of Citrix Receivers are not impacted by presently known variants of these issues. However, it is probable that the underlying operating system, drivers and CPU firmware will require updating. Citrix strongly recommends that customers contact their operating system and hardware vendors for information on how to obtain these updates. ByteMobile products: When deployed in line with Citrix recommendations, Citrix believes that currently supported versions of ByteMobile products are not impacted by the presently known variants of these issues. However, Citrix strongly recommends that customers using virtualized installations of ByteMobile products contact their Citrix ByteMobile Telco Support contact for potential mitigations steps and further information. Products that we believe are impacted: Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted. Citrix NetScaler SD-WAN (WANOpt1000WS/2000WS): When deployed in environments with only trusted administrators, Citrix believes that currently supported WAN Optimization versions of Citrix SD-WAN on 1000WS/2000WS platforms are not at risk from malicious network traffic. Citrix strongly recommends that Citrix SD-WAN 1000WS and 2000WS administrators ensure that access to the [Citrix supplied Windows VM] is limited to trusted administrators only Citrix XenServer: Please see https://support.citrix.com/article/ctx231390 for information on Citrix XenServer What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 Reporting Security Issues to Citrix Changelog Date Change 3rd January 2018 Initial publishing 3rd January 2018 Updated immediately after embargo expiry 4th January 2018 Updated to include XenServer 5th January 2018 Expanded product coverage 9th January 2018 Updated product coverage 11th January 2018 Added information for ByteMobile products 14th January 2018 Added information for NetScaler SD-WAN - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlwdM4x+lLeg9Ub1AQikKRAAgjTfsgrbvgw1jk24bI7C25RbBHzbFraf 8QdNxEn3CG7MYHu9OeTcys5TEmxzIDcuyVTcYsB70/EJcmtw6OJk0D2BYMbDRY9T lVHQqsscIWbnjpi61eGfAGtwTn33xnPJck4YAdrx0BIDcAgHBiOdZwg5DnZ9b31q AuhsyhSsPg/JLSguWzXEKBl/ke9j5sFwbyG8387UbeA8uSy6i7x1r8DfQr7qOfq5 ZizAZ008U+rng7pWm6EmqSqnQ/m1wGRzPiwtL4IBlqYgypJPdFeFULruJOFO7WaR Wml8gz8Klr9EqNluyFrAeyDz1cx3v7SD/TOFf8wntty2bET2EkoLycvqMDTo2yDv Zbcx6oA5x2knzXEEmJ6+4/bFGFSazIvWQt0wsa9xx74wqplrlOVIlXENAOYf9uZ5 6ttLR28Hg/p8xPPEl8/MC5OpoyuJVgAP288ZuO8O1CyM1cpcySxQ8TvYeng05K7d hrcyt1ve/r4oLsZmLIuHroSJ66gf6D+mVj6zMWvf2iK1aUEqbBhM8w0tpm9pFBEU upd2QwEWjEItbS7DqzdCXT+/jCp86eNcb+FpY6OlbVpd3xAYe9liD9LyuSLEVssa YZXSq9zPMYS8ML8RXN8b2rYUpBeS2xjpBqyt3S1LcGKZ274CqMDHg4AkdryLTTcE JC3CZ2A05kI= =/ZxK -----END PGP SIGNATURE-----