Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Citrix Security Advisory for NTP Vulnerabilities

Related Vulnerabilities: CVE-2014-9293   CVE-2014-9294   CVE-2014-9295   CVE-2014-9296  

Source

Description of Problem

Citrix is aware of recent vulnerability reports that impact Network Time Protocol (NTP) and is actively investigating the potential impact of these issues on Citrix products. There are a number of CVEs related to this issue, the current set includes:

  • CVE-2014-9293
  • CVE-2014-9294
  • CVE-2014-9295
  • CVE-2014-9296
The following sections provide some initial guidance to customers on the potential impact of this issue. Please note that this issue is under active analysis and, as such, customers should check back frequently to get the current status of our response.

NetScaler ADC & NetScaler Gateway

By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. NTP has recently been upgraded to 4.2.8 which contains the fixes for these vulnerabilities on all supported versions. Customers are advised to upgrade to 

  • NetScaler ADC and NetScaler Gateway 10.1 Build 133.9 or later
  • NetScaler ADC and NetScaler Gateway 10.5 Build 58.11 or later
  • NetScaler ADC and NetScaler Gateway 10.5.e Build 58.1108.e or later
  • NetScaler ADC and NetScaler Gateway 11.0 Build 55.20 or later

to avail these fixes.

 

XenServer

Some XenServer versions may include a version of ntpd that contains the vulnerable code. However, the NTP configuration used by XenServer results in these issues not being exploitable as the relevant functionality cannot be reached by untrusted network traffic.

XenMobile App Controller

A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:

https://support.citrix.com/article/CTX142031

Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.

Citrix CloudPlatform

The following versions of Citrix CloudPlatform are impacted by this vulnerability:

  • Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2. 
  • Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6. 
  • Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including version 3.0.7 Patch G. 

Citrix CloudPlatform 4.5 is not affected by this vulnerability.

Customers using affected versions of Citrix CloudPlatform should update their SystemVM ISO. Download details and more informaiton on how to update the SystemVM ISO can be found at the following address: https://support.citrix.com/article/CTX200459

In addition to updating the SystemVM ISO, all customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: https://support.citrix.com/article/CTX200024

Citrix VDI-In-A-Box

The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:

Citrix VDI-In-A-Box 5.4.x:  A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html

Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date Change
January 6th 2015 Initial bulletin publishing
January 12th 2015 Addition of XenServer section
February 2nd 2015 Addition of XenMobile App Controller section
March 4th 2015 Addition of CloudPlatform section
March 18th 2015 Addition of VDI-In-A-Box section
June 18th 2015 Update to VDI-In-A-Box section
March 10th 2016 Update to Netscaler ADC & Netscaler Gateway section

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started