Date: 7 Apr 2004 11:08:11 +0200
From: SecuriTeam <support@securiteam.com>
To: list@securiteam.com
Subject: [NT] Citrix MetaFrame Password Manager Credentials Not Encrypted Under Certain Configurations
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Citrix MetaFrame Password Manager Credentials Not Encrypted Under Certain
Configurations
------------------------------------------------------------------------
SUMMARY
The Citrix MetaFrame Password Manager 2.0 product provides
enterprise-level single sign-on (SSO) functionality, enabling users to
authenticate just once with a single set of credentials to gain access to
a variety of applications, systems, and web sites that require secondary
logons. The product accomplishes this by storing user's passwords in an
encrypted database and automatically providing credentials to applications
when needed. The credentials are normally encrypted using the 3DES
algorithm in both the local and central store. However, if an
administrator inadvertently fails to configure the Citrix MetaFrame
Password Manager agent to point to a central credential store, the
credentials will be stored in the local store unencrypted.
DETAILS
Vulnerable Systems:
* Citrix MetaFrame Password Manager version 2.0
Immune Systems:
* Citrix MetaFrame Password Manager version 2.0 with MPME100W001
Mitigating Factors:
1. The local credential store is protected by Windows File Access Control
Lists (ACLs) that restrict access to the user or Administrator
2. The credentials are stored unencrypted only when a central credential
store is not configured. This configuration is unlikely
to be encountered in a typical production deployment of Citrix MetaFrame
Password Manager
3. Only credentials entered immediately after executing the First Time
User Wizards are affected. Credentials entered
subsequently are encrypted.
Vendor Response:
Foundstone's software security consulting group identified this
vulnerability during a product security assessment of Citrix MetaFrame
Password Manager 2.0. The assessment was commissioned by Citrix as part of
their efforts to provide Citrix customers with more secure software.
MPME100W001 Citrix has issued a security bulletin and Hotfix MPME100W001
to address the vulnerability identified in this advisory. It is available
at:
<http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256>;
http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256
Recommendation:
Apply Hotfix MPME100W001 provided by Citrix. If no central credential
store has been configured, the local credential store should be manually
deleted before the system is patched.
Administrators must ensure all deployments are configured with
synchronization to a central credential store (either Active
Directory or File Server).
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs@foundstone.com>
Foundstone Labs.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
