Description of Problem
Citrix is aware of recent vulnerability reports that impact GNU Bash and is actively investigating the potential impact of these issues on Citrix products. There are a number of CVEs related to this issue, the current set includes:
- CVE-2014-6271
- CVE-2014-6277
- CVE-2014-6278
- CVE-2014-7169
- CVE-2014-7186
- CVE-2014-7187
The following sections provide some initial guidance to customers on the potential impact of this issue. Please note that this issue is under active analysis and, as such, customers should check back frequently to get the current status of our response.
Citrix XenApp & XenDesktop
Most XenApp and XenDesktop components are Windows-based and, as such, are not affected by this vulnerability. Citrix recommends that customers review the following list for more information on specific components:
- Citrix XenDesktop Volume Worker Virtual Machines: Citrix recommends that customers ensure that the virtual machine being used to host the Volume Worker has been patched for this issue.
- Citrix Receivers for Linux, Mac and Android: In line with best practice, Citrix recommends that customers apply any necessary updates to client operating systems.
- Citrix Web Interface when deployed on Unix-based web servers: We recommend that customers verify that the underlying webserver is not vulnerable to this issue.
- Current versions of Citrix Web Interface when deployed on Windows platforms are not affected by this issue.
- Current versions of Citrix Secure Gateway running on Windows platforms are not affected by this issue.
- Citrix Licensing: Please refer to the Citrix Licensing section of this document.
- Citrix Merchandising Server: We are still in the process of investigating the potential impact of this issue on the Merchandising Server. This document will be updated when more information is available.
Citrix NetScaler ADC and NetScaler Gateway
We are not currently aware of any direct risk from this issue to any remote NetScaler interfaces. As a defence in depth measure Citrix has included patches for these issues in NetScaler versions 10.5-52.11, 10.1-129.11 and 9.3-67.5.
Citrix NetScaler SDX
Citrix has released updates that address this issue on the NetScaler SDX. Customers are advised to upgrade to the following versions:
- 10.5.52.11r1 or later
- 10.1.129.11r1 or later
- 9.3.67.5r1 or later
Citrix XenServer
Citrix has released security bulletin CTX200223 to cover the impact of Shellshock on XenServer. It is available at the following location:
Citrix XenClient Enterprise
The following XenClient Enterprise engines are impacted by this issue when configured to use DHCP:
- All versions of XenClient Enterprise Engine version 4.x: A new version of XenClient Enterprise, 4.5.8, has been released to address this issue. This can be found at the following address:
https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-45.html - All versions of XenClient Enterprise Engine version 5.x up to and including version 5.1.4: A new version of XenClient Enterprise, 5.1.5, has been released to address this issue. This can be found at the following address:
https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-51.html.
Citrix Desktop Player for Mac
We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised ensure that any applicable security patches are applied to the underlying operating system.
Citrix Synchronizer for XenClient Enterprise and Desktop Player for Mac
We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised to ensure that any applicable security patches are applied to the underlying operating system that is being used to host the synchronizer.
Citrix XenMobile
Analysis of the impact to XenMobile components is continuing. The following list contains our current guidance for XenMobile components:
- XenMobile Device Manager, XenMobile NetScaler Connector and XenMobile Mail Manager: On-premise versions of these products are not believed to be affected by this vulnerability.
- AppController: The on-premise version of AppController is not vulenrable to this issue. However, fixes have been released for this as a defence in depth measure. This patch is available on the Citrix website at the following address:
https://support.citrix.com/article/CTX142031 - Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.
- XenMobile Client for iOS and Android: These clients are not believed to be directly affected by this vulnerability. In line with best practice, Citrix recommends that customers apply any necessary updates to client operating systems.
- XenMobile Client for Windows Phone: This client is not believed to be affected.
- XenMobile Cloud: We do not currently believe that the cloud hosted versions of XenMobile Device Manager and AppController are vulnerable this issue. However, we are continuing to investigate and this guidance will be updated as our analysis continues.
Citrix ByteMobile
Analysis of the impact to ByteMobile is continuing, the following list contains our current guidance for ByteMobile components:
- ByteMobile Adaptive Traffic Management: Current versions of the ATM component are vulnerable to this issue. Citrix will be releasing updated versions in the near future, details of the fixes will be added to this document as soon as they are available.
- ByteMobile Video Cache: Video Cache is vulnerable to this issue, details for remediation will be added to this document as soon as they are available.
- ByteMobile Traffic Director: We are not currently aware of any direct risk from this issue to the main data path for Traffic Director. Some risk may exist for management interfaces so, in line with existing best practice, we recommend that access to any Traffic Director management interfaces are constrained to trusted users and networks only.
- ByteMobile BEM, BRD, BDL, PPG: We recommend that all customers update their Linux OS to remediate the known issues.
Citrix CloudBridge and BranchRepeater
Branch Repeater VPX in Amazon Web Services (AWS) uses a DHCP client which is vulnerable to this issue. Citrix recommends that customers using Branch Repeater VPX in AWS ensure they are using best practices for securing their systems in Amazon Web Services. Citrix has released new virtual appliances that contain updates to address this issue in CloudBridge versions 7.3.1 and later and 7.2.3 and later. These new versions can be found at the following location:
https://www.citrix.com/downloads/cloudbridge/virtual-appliances.html
We are not currently aware of any direct risk from this issue to other CloudBridge endpoints. While we complete our research, we recommend that customers follow existing Citrix best practices for securing their CloudBridge devices including ensuring access to any CloudBridge management interfaces are constrained to trusted users and networks only.
Citrix SaaS Solutions
Analysis of the impact to SaaS solutions is continuing. The following list contains our current guidance for SaaS solutions:
- GoToMeeting: GoToMeeting is not currently believed to be vulnerable to this issue.
- GoToTraining: GoToTraining is not currently believed to be vulnerable to this issue.
- GoToWebinar: GoToWebinar is not currently believed to be vulnerable to this issue.
- ShareFile: ShareFile is not currently believed to be vulnerable to this issue.
- GoToMyPC: GoToMyPC is not currently believed to be vulnerable to this issue.
- GoToAssist: GoToAssist is not currently believed to be vulnerable to this issue.
- OpenVoice: OpenVoice is not currently believed to be vulnerable to this issue.
- Citrix Labs Products (GoToMeet.me, GoToMeeting Free, Convoi, Talkboard, ShareConnect): Citrix Labs Products are not currently believed to be vulnerable to this issue.
Citrix CloudPlatform
We are not currently aware of any direct risk from this issue to the CloudPlatform system virtual machines. As a defence in depth measure, Citrix has included patches for these issues in new versions of the system templates. These can be downloaded from the Citrix website at the following address:
https://www.citrix.com/downloads/cloudplatform/product-software.html
Additionally, customers are advised to update their management servers and guest virtual machines as well as any virtual machine snapshots, templates, or ISO files to a non-vulnerable version of bash. Citrix recommend that customers follow existing Citrix best practices for securing their CloudPlatform systems including ensuring access to any CloudPlatform management interfaces are constrained only to trusted users and networks.
CloudPortal Business Manager
We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised ensure that any applicable security patches are applied to the underlying operating system.
Citrix Licensing
Citrix License Server VPX: VPX machines that are configured to use DHCP are impacted by this issue. The license server inside the VPX is not impacted because it does not use bash. A new version of the License Server VPX has been released to address this issue. This new version can be downloaded from the folowing address: Version 11.12.1: https://www.citrix.com/downloads/licensing/license-server.html
Customers that are not able to upgrade immediately can reconfigure the VPX to use a static IP address or implement network filtering to limit the risk of a malicious DHCP response being sent to the VPX. Citrix also recommends that network access to this VPX is restricted.
Citrix Merchandising Server
We are not aware of any direct risk posed to the Merchandising Server from this vulnerability. This guide will be updated if further information becomes available.
Citrix VDI-In-A-Box
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.5, has been released to address this issue. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
---|---|
September 26th 2014 | Initial bulletin publishing |
September 29th 2014 | Addition of ByteMobile section |
September 30th 2014 | Addition of CloudBridge and SaaS Solutions sections and additional CVE numbers |
October 1st 2014 | Addition of CloudPlatform, XenClient Enterprise, Desktop Player for Mac and Synchronizer sections. |
October 2nd 2014 | Addition of Licensing section and update of CloudBridge section. |
October 3rd 2014 | Update to XenApp & XenDesktop section. |
October 3rd 2014 | Update to NetScaler ADC and Gateway section. |
October 7th 2014 | Update to Citrix XenApp & XenDesktop section (Web Interface and CSG on Windows). |
October 8th 2014 | Update to Citrix XenServer section |
October 20th 2014 | Addition of Merchandising Server section |
October 23rd 2014 | Update to NetScaler ADC & Gateway section |
October 24th 2014 | Update to CloudPlatform and NetScaler sections |
October 28th 2014 | Update to Licensing section |
October 29th 2014 | Update to XenClient Enterprise section |
October 29th 2014 | Addition of CloudPortal Business Manager section |
December 2nd 2014 | Update to Merchandising Server and CloudPlatform sections |
December 3rd 2014 | Update to XenClient Enterprise section |
February 2nd 2015 | Update to XenMobile section |
February 25th 2015 | Addition of VDI-In-A-Box section |
March 2nd 2015 | Addition of NetScaler SDX section |
April 28th 2015 | Update to VDI-In-A-Box section |
May 8th 2015 | Update to CloudBridge section |