Description of Problem
An issue has been identified in Citrix Federated Authentication Service (FAS) which causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP).
This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.
CVE-ID | Description | Type | Pre-requisites |
CVE-2022-26355 | The registration authority certificate's private key is stored in ‘Microsoft Software Key Storage Provider’ even if the Trusted Platform Module was selected | CWE-668: Exposure of Resource to Wrong Sphere | Local Administrator access to the FAS server |
Certificates that were generated using the following versions of Citrix Federated Authentication Service are affected by this issue:
- Citrix Federated Authentication Service 7.17 - 10.6
These versions of FAS are included as part of Citrix Virtual Apps and Desktops 2106, and below, and XenApp / XenDesktop 7.17, and above.
Note that it is the version of FAS that was installed when the certificate was generated which determines if the deployment is affected and not the currently installed version.
Customers can determine if the registration authority certificate's private key is currently being stored in the TPM by using the following PowerShell commands and reviewing the output:
Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 Get-FasAuthorizationCertificate -FullCertInfo -Address localhost
The PrivateKeyProvider field will be set to Microsoft Platform Crypto Provider if the registration authority certificate's private key is stored in the TPM.