====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN241
_____________________________________________________________________

DATE                : 04/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix Hypervisor, XenServer.

=====================================================================
https://support.citrix.com/article/CTX272237
_____________________________________________________________________

Citrix Hypervisor Security Update

Reference: CTX272237

Category : Low

Created  : 30 Apr 2020

Modified : 30 Apr 2020

Applicable Products

  o Citrix Hypervisor
  o XenServer 7.1 LTSR Cumulative Update 2
  o XenServer


Description of Problem

An issue has been discovered in Citrix Hypervisor that, if exploited,
could potentially allow an attacker on the management network to
enumerate valid administrative account usernames. Note that this attack
does not disclose the corresponding passwords and does grant not access
to the attacked system.


This issue has the following identifier:

  o CVE-2018-15473


This issue affects Citrix XenServer 7.1 LTSR CU2


Mitigating Factors

Customers who do not have ssh access enabled to the control domain are
not affected by this issue. Customers who have not enabled Active
Directory integration for administrative login will have minimal
usernames exposed to attacker enumeration.


What Customers Should Do

A hotfix has been released to address this issue. Citrix recommends that
customers running Citrix XenServer 7.1 LTSR CU2 install this hotfix as
their patching schedule allows.

The hotfix can be downloaded from the following location:

Citrix XenServer 7.1 LTSR CU2:CTX269660 -
https://support.citrix.com/article/CTX269660


Acknowledgements

Changelog

+--------------------------+--------------------------------------------------+
|Date                      |Change
      |
+--------------------------+--------------------------------------------------+
|2020-04-30                |Initial Publication
      |
+--------------------------+--------------------------------------------------+


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================