There was a major vulnerability being dubbed “HeartBleed” disclosed to the world last Monday. This vulnerability affects the popular cryptographic software library OpenSSL used in many Linux/Unix OSs. This vulnerability, If exploited, could allow an attacker to interact with these secure servers causing them to disclose the contents of their memory, in chunks. These memory chunks could possibly contain private SSL keys, user data, passwords, or other sensitive information. There is no restriction on how many times or which chunks could be ask for, and is just limited to 64k at a time. In addition, an attack of this nature would more than likely not trigger any normal alerts or alarms within those systems.
Advanced details regarding this vulnerability can be reviewed here Http://www.heartbleed.com
How might this affect a Citrix Administrator? The good news is not much….as long as you have maintained your environment with current Citrix supported versions.
Citrix has released the following Knowledge document detailing which of their products have undergone testing for this issue: http://support.citrix.com/article/CTX140605
For the following products, you need not worry. Citrix has tested them and verified they are safe.
- Netscaler & Netscaler Gateway — All current supported versions of product are safe
- Citrix Secure gateway (CSG) — All current supported versions of product are safe
- Citrix StoreFront — All current supported versions of product are safe
Citrix Web Interface can also be considered safe if it has been deployed via a Windows IIS server. If the Web Interface has been deployed to a *nix based OS please check with that OS’s vendor for vulnerability details as Web Interface makes use of the underlying OS’s security.
A full product matrix of currently supported Citrix Product versions can be viewed here: http://www.citrix.com/support/product-lifecycle/product-matrix.html
Please contact us if we can be of assistance:
[contact-form][contact-field label=’Name’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’Phone’ type=’text’/][contact-field label=’Comment’ type=’textarea’ required=’1’/][/contact-form]