__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Citrix Vulnerability in Program Neighborhood Client [CTX108354] December 16, 2005 19:00 GMT Number Q-077 ______________________________________________________________________________ PROBLEM: The Citrix Program Neighborhood client supports a UDP based application enumeration mechanism; if this functionality is used to present the client with a very long application name then an implementation flaw in the client could result in an internal buffer being overflowed. PLATFORM: Citrix Program Neighborhood version 9.1 and earlier for 320bit and 64-bit Windows DAMAGE: It is possible that this buffer overflow could be used to execute malicious code within the client process. SOLUTION: This issue has been fixed inversions 9.150 and later of the Program Neighborhood Client. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. It is possible that this buffer overflow ASSESSMENT: could be used to execute malicious code within the client process with user privileges. For this vulnerability to be exploited the client would have to be explicitly configured to point to a malicious UDP server, or a malicious UDP server would have to be installed on the same subnet as the client. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-077.shtml ORIGINAL BULLETIN: Citrix CTX108354 http://support.citrix.com/article/CTX108354&printable=true CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3652 ______________________________________________________________________________ [***** Start CTX108354 *****] CTX108354 - Vulnerability in Program Neighborhood client could result in arbitrary code execution This document was published at: http://support.citrix.com/article/CTX108354 Document ID: CTX108354, Created on: Dec 13, 2005, Updated: Dec 16, 2005 Products: ICA Win32 Program Neighborhood Client Severity: High Description of Problem The Citrix Program Neighborhood client supports a UDP based application enumeration mechanism; if this functionality is used to present the client with a very long application name then an implementation flaw in the client could result in an internal buffer being overflowed. It is possible that this buffer overflow could be used to execute malicious code within the client process. The following clients are affected by this issue: • Citrix Program Neighborhood version 9.1 and earlier for 32-bit and 64-bit Windows The Citrix Web client and the Citrix Program Neighborhood Agent client are not affected by this vulnerability. This vulnerability has been assigned the following CVE number: • CVE-2005-3652 - Citrix Program Neighborhood Name Heap Corruption Vulnerability Mitigating Factors For this vulnerability to be exploited the client would have to be explicitly configured to point to a malicious UDP server, or a malicious UDP server would have to be installed on the same subnet as the client. What Customers Should Do This issue has been fixed in versions 9.150 and later of the Program Neighborhood client. Citrix recommends that affected customers upgrade to a fixed version, updated client packages can be downloaded from the following location: http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755 Acknowledgements Citrix thanks iDefense for reporting this issue and working with us to protect customers. What Citrix Is Doing Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://support.citrix.com/. Obtaining Support on this Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/. Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and steps to reproduce the vulnerability. -------------------------------------------------------------------------------- ©1999-2004 Citrix Systems, Inc. All Rights Reserved [***** End CTX108354 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Citrix for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-067: RealNetworks Security Update Q-068: 'xpdf' Vulnerability Q-069: Sun Java System Communications Services Vulnerability Q-070: Sun Java System Application Server Reverse SSL Proxy Plugin Vulnerability Q-071: HP-UX Running IPSec Remote Unauthorized Access Q-072: Sun Update Connection Web Proxy Password Disclosure Vulnerability Q-073: IBM Tivoli Directory Server Vulnerability Q-074: Cumulative Security Update for Internet Explorer Q-075: Vulnerability in Windows Kernel Q-076: Sober.X (Y) To Download New Code On or After Jan. 6