Virtualization vendor Citrix Systems Inc. is urging users of its XenApp and XenDesktop products to install new patches it has issued for a flaw in the products’ XML Service interface. The vulnerability is rated as severe.
Fort Lauderdale, Fla.-based Citrix said the flaw could be exploited by sending a specially crafted packet to the vulnerable component, enabling a remote, unauthenticated attacker to execute arbitrary code in the context of a service account of a server supporting XenApp, the vendor’s application virtualization product, or XenDesktop, its desktop virtualization platform.
The XML Service can be configured to share a port with Microsoft IIS, or to use its own port. In the case of the latter, the XML Service components will be hosted by the standalone Citrix XML Service, which is implemented by ctxxmlss.exe. Only deployments that make use of ctxxmlss.exe are affected by this vulnerability.
Most versions, with the exception of XenDesktop 5, are affected by the vulnerability.
Although the flaw is rated as severe, Citrix says an attacker would need to be able to access the XML Service interface in order to exploit it, which would not normally be exposed to the Internet.
Nevertheless, the vendor recommends that all customers immediately download and install the Citrix patches, known as hotfixes, listed on its website.