===================================================================== CERT-Renater Note d'Information No. 2007/VULN485 _____________________________________________________________________ DATE : 05/12/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Citrix EdgeSight for Endpoints, Citrix EdgeSight for Presentation Server. ====================================================================== http://support.citrix.com/article/CTX115281 ______________________________________________________________________ Weakness in Citrix EdgeSight for Endpoints and Citrix EdgeSight for Presentation Server could result in information disclosure Alternate Languages: N/A Severity: Low Description of Problem A weakness has been identified in Citrix EdgeSight for Presentation Server server and Citrix EdgeSight for Endpoints server. This weakness relates to the way that the credentials for database connectivity are stored in configuration files. The weakness is present in all versions of the following products: . Citrix EdgeSight for Endpoints . Citrix EdgeSight for Presentation Server . Citrix EdgeSight for NetScaler Mitigating Factors Citrix EdgeSight for Endpoints server & Presentation Server server: In order to gain access to the configuration file, the user would need to have access to the file system on the EdgeSight server. In a standalone deployment of the EdgeSight server, end users would not typically be able to access this. Citrix EdgeSight for NetScaler: Citrix EdgeSight for NetScaler can be configured to use Security Support Provider Interface (SSPI) authentication for all database access. Deployments that are configured in this way are not affected by this issue. For details on how to configure your Citrix EdgeSight for NetScaler deployment to use NT Authentication, see the Citrix EdgeSight for NetScaler Administrator's Guide: Citrix EdgeSight for NetScaler 1.0 Installation Guide - http://support.citrix.com/article/CTX113038 Citrix EdgeSight for NetScaler 1.1 Installation Guide - http://support.citrix.com/article/CTX114399 What Customers Should Do Citrix recommends that customers upgrade their EdgeSight installations: Citrix EdgeSight for Presentation Server 4.5 & Citrix EdgeSight for Endpoints 4.5 -- Customers should apply Service Pack 2 (SP2) available here: ESPS 4.5 SP2: http://support.citrix.com/article/CTX115526 ESEP 4.5 SP2: http://support.citrix.com/article/CTX115527 Citrix EdgeSight for Presentation Server 4.2 & Citrix EdgeSight for Endpoints 4.2 -- Customers should apply Service Pack 4 (SP4) available here: ESPS 4.2 SP4: http://support.citrix.com/article/CTX111075 ESEP 4.2 SP4: http://support.citrix.com/article/CTX111076 What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Base at http://support.citrix.com/. Obtaining Support on this Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/. Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability. This document applies to: * EdgeSight 4.2 for Endpoints * Citrix EdgeSight 4.2 for Presentation Server * Citrix EdgeSight 4.5 for Endpoints * Citrix EdgeSight 4.5 for Presentation Server * EdgeSight for NetScaler 1.0 * EdgeSight for NetScaler 1.1 ====================================================================== ========================================================= Les serveurs de re'fe'rence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================