Description of Problem
Citrix is aware of recent vulnerability reports that impact Network Time Protocol (NTP) and is actively investigating the potential impact of these issues on Citrix products. There are a number of CVEs related to this issue, the current set includes:
- CVE-2014-9293
- CVE-2014-9294
- CVE-2014-9295
- CVE-2014-9296
NetScaler ADC & NetScaler Gateway
By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. NTP has recently been upgraded to 4.2.8 which contains the fixes for these vulnerabilities on all supported versions. Customers are advised to upgrade to
- NetScaler ADC and NetScaler Gateway 10.1 Build 133.9 or later
- NetScaler ADC and NetScaler Gateway 10.5 Build 58.11 or later
- NetScaler ADC and NetScaler Gateway 10.5.e Build 58.1108.e or later
- NetScaler ADC and NetScaler Gateway 11.0 Build 55.20 or later
to avail these fixes.
XenServer
Some XenServer versions may include a version of ntpd that contains the vulnerable code. However, the NTP configuration used by XenServer results in these issues not being exploitable as the relevant functionality cannot be reached by untrusted network traffic.
XenMobile App Controller
A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:
https://support.citrix.com/article/CTX142031
Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.
Citrix CloudPlatform
The following versions of Citrix CloudPlatform are impacted by this vulnerability:
- Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2.
- Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6.
- Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including version 3.0.7 Patch G.
Citrix CloudPlatform 4.5 is not affected by this vulnerability.
Customers using affected versions of Citrix CloudPlatform should update their SystemVM ISO. Download details and more informaiton on how to update the SystemVM ISO can be found at the following address: https://support.citrix.com/article/CTX200459
In addition to updating the SystemVM ISO, all customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: https://support.citrix.com/article/CTX200024
Citrix VDI-In-A-Box
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
---|---|
January 6th 2015 | Initial bulletin publishing |
January 12th 2015 | Addition of XenServer section |
February 2nd 2015 | Addition of XenMobile App Controller section |
March 4th 2015 | Addition of CloudPlatform section |
March 18th 2015 | Addition of VDI-In-A-Box section |
June 18th 2015 | Update to VDI-In-A-Box section |
March 10th 2016 | Update to Netscaler ADC & Netscaler Gateway section |