Citrix patches severe XenDesktop, XenApp security flaw

The virtualization vendor says a severe XenDesktop and XenApp security flaw needs immediate patching, or else an attacker may execute arbitrary code.

Virtualization vendor Citrix Systems Inc. is urging users of its XenApp and XenDesktop products to install new patches it has issued for a flaw in the products’ XML Service interface. The vulnerability is rated as severe.

Fort Lauderdale, Fla.-based Citrix said the flaw could be exploited by sending a specially crafted packet to the vulnerable component, enabling a remote, unauthenticated attacker to execute arbitrary code in the context of a service account of a server supporting XenApp, the vendor’s application virtualization product, or XenDesktop, its desktop virtualization platform.

The XML Service can be configured to share a port with Microsoft IIS, or to use its own port. In the case of the latter, the XML Service components will be hosted by the standalone Citrix XML Service, which is implemented by ctxxmlss.exe. Only deployments that make use of ctxxmlss.exe are affected by this vulnerability.

Most versions, with the exception of XenDesktop 5, are affected by the vulnerability.

Although the flaw is rated as severe, Citrix says an attacker would need to be able to access the XML Service interface in order to exploit it, which would not normally be exposed to the Internet.

Nevertheless, the vendor recommends that all customers immediately download and install the Citrix patches, known as hotfixes, listed on its website.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close