Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2014-4700 - Vulnerability in Citrix XenDesktop could result in unauthorized access to another user's desktop

Related Vulnerabilities: CVE-2014-4700  

Source

Description of Problem

A vulnerability has been identified in Citrix XenDesktop that could result in a user gaining unauthorized interactive access to another user’s desktop.

This vulnerability affects a specific, non-default configuration of Citrix XenDesktop 7 (all versions up to and including 7.5), Citrix XenDesktop 5 (up to and including Rollup 5.6.300 for Citrix XenDesktop 5.6 FP1) and Citrix XenDesktop 4 (all versions).

This vulnerability only affects Citrix XenDesktop deployments that use pooled random desktop groups and where the broker configuration setting ShutdownDesktopsAfterUse is set to disabled. Configurations that only use assigned desktop groups, including RemotePC access scenarios and user-dedicated desktops, are not affected by this issue.

This vulnerability has been assigned the following CVE number:

    • CVE-2014-4700: Vulnerability in Citrix XenDesktop versions 7.x, 5.x and 4.x could result in unauthorized access to another user’s desktop.

Mitigating Factors

The configuration setting ShutdownDesktopsAfterUse is enabled by default in configurations that use pooled desktops groups to reset the disk image and clean the desktop. For more details, please see the following Citrix Knowledgebase article:

https://support.citrix.com/article/CTX127842

What Customers Should Do

Updates to Citrix XenDesktop have been released to address this issue. Citrix strongly recommends that affected customers apply these updates as soon as possible.

The hotfixes for Citrix XenDesktop 7.1 and 7.5 can be downloaded from the following locations:

CTX140362 – Hotfix XD710ICAWSWX86005 - For VDA Core Services 7.1/7.5 for Windows Desktop OS (32-bit) - English

CTX140363 – Hotfix XD710ICAWSWX64005 - For VDA Core Services 7.1/7.5 for Windows Desktop OS (64-bit) - English

A VDA Rollup for Citrix XenDesktop 5.6 FP1 can be downloaded from the following location:

CTX138550 – Hotfix Rollup XD560VDAWX86400 (Version 5.6.400) - For Citrix XenDesktop Virtual Desktop Agent Core Services x86 - English

CTX138551 – Hotfix Rollup XD560VDAWX64400 (Version 5.6.400) - For Citrix XenDesktop Virtual Desktop Agent Core Services x64 - English

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started