what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FoundstoneCitrix.txt

FoundstoneCitrix.txt
Posted Apr 6, 2004
Authored by Vijay Akasapu, David Wong | Site foundstone.com

Foundstone Labs Advisory - Citrix MetaFrame Password Manager 2.0 has a flaw where it will locally store credentials unencrypted if the agent is not pointed to a central credential store.

tags | advisory
SHA-256 | 1c9632d94f5f40b0cc99ad07a73eaec4580053d25e6d9dafb7e2c377dbb5468b

FoundstoneCitrix.txt

Change Mirror Download
Foundstone Labs Advisory

Advisory Name: Citrix MetaFrame Password Manager 2.0 credentials not
encrypted under certain configurations
Release Date: April 5, 2004
Application: Citrix MetaFrame Password Manager 2.0
Platforms: Windows 2000 and Windows XP
Type: Information Disclosure
Vendors: Citrix
Vendor Advisory:
https://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256
Authors: Vijay Akasapu and David Wong
Reference: https://www.foundstone.com/advisories

Overview:

The Citrix MetaFrame Password Manager 2.0 product provides
enterprise-level single sign-on (SSO) functionality, enabling users
to authenticate just once with a single set of credentials to gain
access to a variety of applications, systems, and web sites that
require secondary logons. The product accomplishes this by storing
user's passwords in an encrypted database and automatically providing
credentials to applications when needed. The credentials are normally
encrypted using the 3DES algorithm in both the local and central
store. However, if an administrator inadvertently fails to configure
the Citrix MetaFrame Password Manager agent to point to a central
credential store, the credentials will be stored in the local store
unencrypted.

Mitigating Factors:

1. The local credential store is protected by Windows File Access
Control Lists (ACLs) that restrict access to the user or
Administrator

2. The credentials are stored unencrypted only when a central
credential store is not configured. This configuration is unlikely
to be encountered in a typical production deployment of Citrix
MetaFrame Password Manager

3. Only credentials entered immediately after executing the
First Time User Wizards are affected. Credentials entered
subsequently are encrypted.

Vendor Response:

Foundstone's software security consulting group identified this
vulnerability during a product security assessment of Citrix MetaFrame
Password Manager 2.0. The assessment was commissioned by Citrix as
part of their efforts to provide Citrix customers with more secure
software.

Citrix has issued a security bulletin and Hotfix MPME100W001 to
address the vulnerability identified in this advisory. It is
available at:
https://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256

Recommendation:

Apply Hotfix MPME100W001 provided by Citrix. If no central
credential store has been configured, the local credential store
should be manually deleted before the system is patched.

Administrators must ensure all deployments are configured with
synchronization to a central credential store (either Active
Directory or File Server).

Disclaimer:

The information contained in this advisory is copyright (c) 2004
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential damages
resulting from the use or misuse of this information. This advisory
may be redistributed, provided that no fee is assigned and that
the advisory is not modified in any way.

About Foundstone Foundstone Inc. addresses the security and
privacy needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The
company has one of the most dominant security talent pools ever
assembled, including experts from Ernst & Young, KPMG,
PricewaterhouseCoopers, and the United States Defense Department.
Foundstone executives and consultants have authored nine books,
including the international best seller Hacking Exposed: Network
Security Secrets & Solutions.

Foundstone is headquartered in Orange County, CA, and has offices
in New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.

Copyright (c) 2004 Foundstone, Inc. All rights reserved worldwide.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close