====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN308
____________________________________________________________________

DATE                :  02/08/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running
                             Citrix Access Gateway Standard Edition
                              versions 5.0.x prior to version 5.0.4.

======================================================================
http://support.citrix.com/article/CTX133648
______________________________________________________________________


Security Vulnerabilities in Citrix Access Gateway Standard Edition
Document ID: CTX133648/Created On: 31 juil. 2012/Updated On: 31 juil. 2012


Severity: Critical


Description of Problem

Three security vulnerabilities have been identified in Access Gateway
Standard Edition:

    • Directory traversal in Access Gateway Standard Edition 5.0.x
prior to version 5.0.4 (critical severity)

    • Access Gateway Standard Edition 5.0.x can act as an open proxy
(high severity)

    • Text content injection in Access Gateway Standard Edition 5.0.3
and 5.0.4 (low severity)

Access Gateway Standard Edition versions 4.5.x and 4.6.x and currently
supported versions of NetScaler Access Gateway Enterprise Edition are
not affected by these vulnerabilities.

What Customers Should Do

A patch for version 5.0.4 of the Access Gateway Standard Edition
firmware has been released to address these vulnerabilities. Citrix
strongly recommends that all customers using affected versions of
Access Gateway Standard Edition apply this patch to their appliances as
soon as possible. This patch can be found at the following location:

https://www.citrix.com/English/ss/downloads/results.asp?productID=15005&c1=pov2305020&c2=sot36239

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix
Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact
Citrix Technical Support. Contact details for Citrix Technical Support
are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. If you would
like to report a security issue to Citrix, please compose an e-mail to
secure@citrix.com stating the exact version of the product in which the
vulnerability was found and the steps needed to reproduce the
vulnerability

This document applies to:

    Access Gateway 4.5 Standard Edition
    Access Gateway 4.6 Advanced Edition
    Access Gateway 4.6 Standard Edition
    Access Gateway 5.0
    Access Gateway VPX 4.6



======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================