Citrix XenServer multiple security updates

Today (November 13th 2012) Citrix has released a critical update for all of it’s XenServer products.

A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.1.

The following denial of service vulnerabilities have been addressed:

  • Timer overflow DoS vulnerability (CVE-2012-4535)
  • pirq range check DoS vulnerability (CVE-2012-4536)
  • Memory mapping failure DoS vulnerability (CVE-2012-4537)
  • Unhooking empty PAE entries DoS vulnerability (CVE-2012-4538)
  • Grant table hypercall infinite loop DoS vulnerability (CVE-2012-4539)
  • XENMEM_add_to_physmap DoS vulnerability (CVE-2012-4557) Continue reading “Citrix XenServer multiple security updates”

Internet Explorer Fix it available now – sucurity update scheduled for Friday

Earlier this week, an issue impacting Internet Explorer affected a small number of customers.  The potential exists, however, that more customers could be affected.  As a result, today we have released a Fix it that is available to address that issue.  This is an easy, one-click solution that will help protect your computer right away.  It will not affect your ability to browse the web, and it does not require a reboot of your computer.

Then, on this Friday, Sept. 21, we will release a cumulative update for Internet Explorer through Windows Update and our other standard distribution channels.  We recommend that you install this update as soon as it is available. If you have automatic updates enabled on our PC, you won’t need to take any action – it will automatically be updated on your machine.  This will not only reinforce the issue that the Fix It addressed, but cover other issues as well.

Today’s Advance Notification Service (ANS) provides additional details about the update we are releasing on Friday – MS12-063. We are planning to release this bulletin as close to 10 a.m. PDT as possible. This cumulative update for Internet Explorer has an aggregate severity rating of Critical. It addresses the publicly disclosed issue described in Security Advisory 2757760 as well as four other Critical-class remote code execution issues.

Vulnerability in Citrix Receiver with Online Plug-in for Windows could result in arbitrary code execution

Citrix has released today this medium security vulnerability article.

Description of Problem

A vulnerability has been identified in the Citrix Receiver with Online Plug-in for Windows that could potentially allow an attacker to execute arbitrary code on the client device in the context of the currently logged in user.

This vulnerability is present in all versions of the Citrix Receiver for Windows up to and including version 3.2 and all versions of the Citrix Online Plug-in for Windows up to and including version 12.1.

This vulnerability has been assigned the following CVE:

• CVE-2012-4603

What Customers Should Do

This vulnerability has been addressed in the following products:

• The Citrix Receiver for Windows version 3.3 with Online Plug-in for Windows version 13.3 and later

• Version 12.3 of the Citrix Online Plug-in for Windows.

Citrix recommends that customers upgrade their Citrix Receivers and Online Plug-ins to these versions and later. These new versions can be obtained from the following location:

Mitigating Factors

To conduct a successful exploit, an attacker would have to convince a user to manually lauch a specially crafted malicious file from an SMB or WebDAV fileserver. Deployments that prevent connections to potentially untrustworthy fileservers will be less exposed to this vulnerability.

Read the entire post here.

Citrix XenServer Multiple Security Updates

A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.0.2.

The following denial of service and guest-to-host privilege escalation vulnerabilities have been addressed:

• hypercall physdev_get_free_pirq vulnerability (CVE-2012-3495)

• PHYSDEVOP_map_pirq index vulnerability (CVE-2012-3498)

• Qemu VT100 emulation vulnerability (CVE-2012-3515)

• Grant table entry swaps have inadequate bounds checking (CVE-2012-3516)

• HVM guest user mode MMIO emulation DoS vulnerability (CVE-2012-3432)

• HVM guest destroy p2m teardown host DoS vulnerability (CVE-2012-3433)

• hypercall set_debugreg vulnerability (CVE-2012-3494)

• XENMEM_populate_physmap DoS vulnerability (CVE-2012-3496)

• PV guest console vulnerability (CVE-2012-4606) Continue reading “Citrix XenServer Multiple Security Updates”

Security guidelines for virtual desktops

This white paper provides an overview of the technologies and procedures that are available to help secure a Citrix based virtual desktop environment. Furthermore, recommendations for low and high security environments are provided. While many areas are covered, this document is not intended to be a comprehensive planning and configuration guide, or as a training guide. Furthermore, it is recommended that all changes are fully tested within a dedicated test environment before being implemented into production.

This white paper is split into the following sections:

  • Endpoint Security: Focuses on endpoint devices used to access a Citrix environment.
  • Access Security: Focuses on techniques for securing the Web Interface / Storefront network communications.
  • Authentication Security: Available authentication techniques are described in detail within this section.
  • Session Security: Focuses on techniques for securing the virtual desktop network communications.
  • Virtual Desktop Security: Outlines how virtual desktops can be secured.
  • Infrastructure Security: Techniques for securing the network communications between infrastructure components as well as security related monitoring and networking is described. In addition important items about organizational security are outlined.

Read and download the PDF here at the Citrix knowledgebase.

Security vulnerabilities in Citrix Access Gateway standard edition

Three security vulnerabilities have been identified in Access Gateway Standard Edition:

    • Directory traversal in Access Gateway Standard Edition 5.0.x prior to version 5.0.4 (critical severity)

    • Access Gateway Standard Edition 5.0.x can act as an open proxy (high severity)

    • Text content injection in Access Gateway Standard Edition 5.0.3 and 5.0.4 (low severity)

Access Gateway Standard Edition versions 4.5.x and 4.6.x and currently supported versions of NetScaler Access Gateway Enterprise Edition are not affected by these vulnerabilities.

What Customers Should Do

A patch for version 5.0.4 of the Access Gateway Standard Edition firmware has been released to address these vulnerabilities. Citrix strongly recommends that all customers using affected versions of Access Gateway Standard Edition apply this patch to their appliances as soon as possible. This patch can be found at the following location:

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.

Read the original KB article here.

Citrix XenServer multiple security ipdates

A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.0.2.

The following issues have been addressed:

• 64-bit PV guest to host privilege escalation vulnerability. This issue only impacts servers running on Intel processors and could permit a 64-bit PV guest to compromise the XenServer host (CVE-2012-0217).

• Guest denial of service on syscall/sysenter exception generation. This issue could permit user code within a PV guest to crash the guest operating system (CVE-2012-0218).

• Administrative connections to VM consoles through XAPI or XenCenter could be routed to the wrong VM.

Mitigating Factors

Customers that are using only Windows guests, which are never PV guests, are unaffected by the first two issues described above. Customers should refer to the XenServer product documentation for more information on the types of guests available.

What Customers Should Do

Hotfixes have been released to address these issues in all supported versions and update levels of Citrix XenServer. Citrix strongly recommends that customers using Citrix XenServer identify and apply the hotfixes that relate to their deployed versions:

Citrix XenServer 6.0.2:

Citrix XenServer 6.0.0:

Citrix XenServer 5.6 Service Pack 2:

Citrix XenServer 5.6 Feature Pack 1:

Citrix XenServer 5.6:

Citrix XenServer 5.5 Update 2:

Citrix XenServer 5.0 Update 3:

Customers using Citrix XenServer 5.6 in the Common Criteria evaluated configuration should apply the following hotfix:

You can read the entire article here on the Citrix KB support page.

MS12-020 and Citrix XenDesktop

Last Tuesday Microsoft has released a critical hotfix affecting Remote Desktop Services for versions of Windows commonly used as part XenDesktop and XenApp environments. Microsoft is strongly recommending that customers apply this immediately.

Click here for more information about this patch.

Citrix has tested this patch with XenApp and XenDesktop, and is listed in the Microsoft Security Patch Validation Report for March 2012.

Microsoft’s March 2012 security updates have passed Citrix testing (the updates are listed below). The testing is not all-inclusive; all tests are Continue reading “MS12-020 and Citrix XenDesktop”

Microsoft Security Compliance Manager 2.5 beta

Hi guys,

Microsoft has released a beta for the Security Compliance Manager 2.5 (SCM 2.5) 

In addition to key features from the previous version, SCM 2.5 Beta 2 offers new Exchange Server 2007 and 2010 baselines! Additional SCM 2.5 client product baselines are included in the beta download, including Windows 7 SP1, Windows Vista SP2, Windows XP SP3, and Office 2010 SP1, and Internet Explorer 8.

Learn more about Security Compliance Manager.