Hi, The following advisory has been released by cqure.net. The severity level has been set to low, as in Citrix's advisory available at; http://support.citrix.com/kb/entry.jspa?entryID=4289&categoryID=118 The reason for the low severity is the fact that you have to be local admin on the Citrix server itself to perform the attack. That said, an attacker attacking for example an ASP could still end up with admin privileges on a couple of customer domains and local network access to a few thousands of workstations. Since the access to drives is tunneled through the clients ICA session a firewall would not block this. Then again an attacker could probably do a lot worse things as local admin :) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================ cqure.net Security Vulnerability Report No: cqure.net.20040430.citrixmetaframe ============================================================ Vulnerability Summary - ------------------- Severity: Low Threat: An administrator can access all of the Citrix user's client drives Products: MetaFrame XP Presentation Server for Windows 1.0 MetaFrame 1.8 Platforms: All Solution: Apply vendor supplied patches Vulnerability Description - ----------------------- It is possible for an administrator to mount any client drive available in any user's Citrix session. The drive has to be mounted on the client (local or network drive) but does not need to be mounted inside the Citrix session. Access to the drives is granted as the user running the Citrix client. Solution - ------ Apply the patches outlined in the Citrix advisory; http://support.citrix.com/kb/entry.jspa?entryID=4289 &categoryID=118 Additional Information - -------------------- It should be noted that administrative access to the Citrix Server is required to achieve this particular attack. There are of course other approaches to achieving the same end result even with the patch applied to the system being the local administrator. This advisory is available at http://www.cqure.net -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQJIIqk8V4IWk13ufEQI13QCg63MqunM28K7RpaJ82ntcrHQXK7QAn2OI cqJHSX86VQnG/eKx6t+S5YgC =aZ8r -----END PGP SIGNATURE----- -- Patrik Karlsson, patrik@cqure.net http://www.cqure.net
