Citrix Security Advisory for OpenSSL Vulnerabilities (June 2014)

Overview

The OpenSSL security advisory released on the 5th of June 2014 disclosed six security vulnerabilities in this open source component; these are described below:

• CVE-2014-0224: SSL/TLS MITM vulnerability

• CVE-2014-0221: DTLS recursion flaw

• CVE-2014-0195: DTLS invalid fragment vulnerability

• CVE-2014-0198: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

• CVE-2010-5298: SSL_MODE_RELEASE_BUFFERS session injection or denial of service

• CVE-2014-3470: Anonymous ECDH denial of service

For more details on the underlying CVEs please refer to the OpenSSL security advisory: https://www.openssl.org/news/secadv_20140605.txt

As noted in the OpenSSL security advisory, CVE-2014-0224 is currently only believed to be exploitable in scenarios where an unpatched OpenSSL based client is connecting to an unpatched OpenSSL 1.0.1 based server. As patching the server components addresses the currently known attack, Citrix recommends that customers apply any required patches to server-side components to mitigate this issue.

In deployments where Citrix client components are used to make TLS connections to non-Citrix servers, Citrix recommends that customers verify with the vendors that those server components are not impacted by CVE-2014-0224.

What Citrix is Doing

Citrix is actively analyzing the impact of this issue on currently supported products. The following sections of this advisory provide current information on each product.

Components that require Citrix updates:

• Citrix CloudBridge: Updated appliance firmware has been released to address this vulnerability on Citrix CoudBridge. Customers are advised to upgrade their appliances to version 7.3.0 or later or 7.2.2 or later. These updated versions are availble from the Citrix website at the following address: https://www.citrix.com/downloads/cloudbridge/firmware/

• Citrix CloudPlatform: The TLS interface exposed by the Secondary Storage VM in Cloud Platform versions 4.2, 4.2.1, 4.2.1-x, 4.3, and 4.3.0.1 are impacted by CVE- 2014-0224. Citrix has released updated system virtual machine templates to resolve this issue. Citrix recommends that customers update the system virtual machine templates to a patched version and then reboot any Secondary Storage VMs to ensure that the updated OpenSSL version is being used. Instructions on updating the system virtual machine templates can be found in the following Citrix Knowledge Center article https://support.citrix.com/article/CTX200024.

• Citrix NetScaler IPMI/LOM Interface: This interface is impacted by these issues. Additional details will be added to this document as soon as they are available.

• Citrix XenMobile App Controller: XenMobile App Controller versions 2.9 and 2.10 are impacted by CVE-2014-0224. Patches have been released to address this issue for both App controller 2.9 and 2.10. Citrix recommends that customers deploy these patches as soon as possible. These patches are available from the following location: https://www.citrix.com/downloads/xenmobile/product-software.html

• Citrix Licensing: Currently supported versions of the Citrix License Server for Windows and the License Server VPX are impacted by CVE-2014-0224. New versions of the License Server for Windows and License Server VPX have been released to address this issue. These new versions can be found at the following location: Version 11.12.1: https://www.citrix.com/downloads/licensing/license-server.html. 

• Citrix VDI-in-a-Box: Currently supported versions of Citrix VDI-in-a-Box appliances are impacted by CVE-2014-0224. New VDI-in-a-Box appliances have been released to address this vulnerability. Citrix recommends that customers migrate their VDI-in-a-Box deployments to these versions or deploy new appliances. These updated appliances can be obtained from the following location: Version 5.4.4: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54. Version 5.3.8: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53. A MyCitrix login is required to access these files. Information on how to verify the version of OpenSSL in use can be found in the following document: CTX140975 – How to Check OpenSSL Version in a VDI-in-a-Box Appliance. Further information on how to apply the upgrades can be found in the following document: CTX140490 – VDI-in-a-Box Hotfix Upgrades.

• Citrix XenClient Enterprise: XenClient Enterprise versions prior to 5.1.3 are impacted by CVE-2010-5298. Citrix has released versions 5.1.3 and 4.5.7 to address this issue. Citrix recommends that customers update their XenClient Enterprise installations. The updated software can be found at the following locations: 5.1.3: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-51. 4.5.7: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-45

• HDX RealTime Optimization Pack for Microsoft Lync 2010: This component is impacted by CVE-2014-0224. An updated version of this component has been released to address this issue. Citrix recommends customers deploy these patches as soon as possible. More information on how to download and apply the updated version can be found at the following address: http://support.citrix.com/proddocs/topic/hdx-realtime-optimization-pack-15/hdx-realtime-optimization-pack-download-15.html

Components that may require third-party updates:

• Citrix Web Interface: Web Interface makes use of the TLS functionality provided by the underlying web server. Citrix customers are advised to verify that any deployed web servers used to host Web Interface are not vulnerable to these issues.

• Citrix CloudPortal Business Manager: This product does not include any TLS libraries and, as such, is not vulnerable to these issues. Some customer deployments may make use of an additional SSL proxy component; Citrix advises customers to contact the vendors of any SSL proxy components being used to determine if they are vulnerable to these CVEs.

Components that are not impacted:

• Citrix XenDesktop Delivery Controller (DDC): Currently supported versions of the DDC do not use a TLS library that is vulnerable to these issues.

• Citrix XenDesktop Virtual Desktop Agent (VDA): Currently supported versions of the VDA do not use a TLS library that is vulnerable to these issues.

• Citrix Studio: Currently supported versions of Citrix Studio do not use a TLS library that is vulnerable to these issues.

• Citrix Director: Currently supported versions of Citrix Desktop Director do not use a TLS library that is vulnerable to these issues.

• Citrix XenApp: Currently supported versions of Citrix XenApp servers and administrative consoles do not use a TLS library that is vulnerable to these issues. Customers are advised to verify that their XenApp deployments do not contain any other vulnerable components listed in this advisory.

• Citrix Edgesight: Currently supported versions of Citrix Edgesight do not use a TLS library that is vulnerable to these issues.

• Citrix Profile Management (UPM): Currently supported versions of Citrix UPM do not use a TLS library that is vulnerable to these issues.

• Citrix Merchandising Server: The TLS server component of currently supported versions of Citrix Merchandising Server is not vulnerable to these issues.

• Citrix StoreFront: The TLS library used by currently supported versions of Citrix Storefront is not vulnerable to these issues.

• Citrix Password Manager: The TLS server component of currently supported versions of Citrix Password Manager is not vulnerable to these issues.

• Citrix NetScaler Packet Engine: The core packet engine functionality of currently supported versions of Citrix NetScaler is not vulnerable to these issues.

• Citrix NetScaler Gateway: The SSL Server functionality of NetScaler Gateway, formerly Access Gateway Enterprise Edition, is not vulnerable to these issues.

• Citrix XenServer: When acting as an SSL server, the TLS libraries used by currently supported versions of Citrix XenServer are not vulnerable to these issues.

• Citrix Secure Gateway: When acting as an SSL server, the TLS libraries used by the currently supported version of Citrix Secure Gateway are not vulnerable to these issues.

• Citrix SSL Relay: The TLS libraries used by the currently supported version of the SSL Relay are not vulnerable to these issues.

• Citrix Provisioning Services: Currently supported versions of Citrix Provisioning Services are not vulnerable to these issues.

• Citrix CloudPortal Services Manager: The TLS libraries used by currently supported versions of CloudPortal Services Manager are not vulnerable to these issues.

• Citrix XenMobile MDM Edition: The TLS libraries used by components of XenMobile MDM edition, including the XenMobile Device Manager component, are not vulnerable to these issues.

• GoToMeeting, GoToMyPC, ShareFile, GoToAssist, GoToWebinar, GoToTraining, Podio, and other related SaaS division products are not vulnerable to these issues. However, as a security best practice, for SaaS software utilizing OpenSSL, we are updating to the most current version.

Client components that may be exposed to CVE-2014-0224 if used with unpatched servers:

• Citrix NetScaler: TLS client connections initiated from the versions of Citrix NetScaler mentioned below are not vulnerable to these issues

- Citrix NetScaler ADC and NetScaler Gateway version 10.1 and 10.1.e builds 10.1 Build 127.10 and 10.1 Build 127.1001.e and later

- Citrix NetScaler ADC and NetScaler Gateway version 10.5 and 10.5.e builds 10.5 Build 50.10 and 10.5 Build 51.1017.e and later

- Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 55.20 and later

• Citrix Receiver for Windows: Citrix Receiver for Windows up to and including version 4.1

• Citrix Receiver for Mac: Citrix Receiver for Mac up to and including version 11.8.2

• Citrix Receiver for Linux: Citrix Receiver for Linux up to and including version 13.0

• Citrix Receiver for iOS: Citrix Receiver for iOS up to and including version 5.8.3

Other Products:

Analysis of other Citrix products is in progress, details on these will be added to this document as soon as they are available. Please check this document regularly for updates.

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog