CVE-2016-4810 - Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration

A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller.
This vulnerability affects the following product versions:

• Citrix XenDesktop 7.x between versions 7.0 and 7.6 inclusive, including 7.6 Long Term Service Release (LTSR)
• Citrix XenApp versions 7.5 and 7.6

Citrix Studio for Citrix XenApp and XenDesktop versions 7.7 and later are not affected by this vulnerability.

Citrix XenDesktop 5.6 and earlier, and Citrix XenApp 6.x and earlier, are not affected by this vulnerability.

This vulnerability has been assigned the following CVE number:

• CVE-2016-4810: Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration.

Access policy rules that have not been edited from their default are not affected by this vulnerability.

Citrix has released a new version of Citrix Studio to address this vulnerability. Citrix recommends that affected customers upgrade to the following version:

• Citrix Studio 7.6.1000 or later

Customers using Citrix XenDesktop 7.6 LTSR should apply Cumulative Update 1 (CU1).

This new version can be downloaded from the following location:

• https://www.citrix.com/downloads/xendesktop.html

In addition to upgrading to a version of Citrix Studio that contains the fix for this issue, Citrix also recommends that all customers review their current Access Policy rules to ensure that they reflect the intended configuration.

More information on how to accomplish this using the associated PowerShell script can be found in the following Knowledge Center article:

• https://support.citrix.com/article/ctx213417