Document ID: | CTX111686 |
Created: | Jan 23, 2007 |
Updated: | Jan 23, 2007 |
Products: | Citrix Presentation Server 4.0 for Microsoft Windows 2003, Citrix Presentation Server 4.0 for Microsoft Windows 2000, Citrix Presentation Server 4.0 x64 Edition, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003, Citrix MetaFrame XP 1.0 for Microsoft Windows 2000, Citrix MetaFrame XP 1.0 for Microsoft Windows 2003
Severity: High Description of Problem The Citrix print provider is used by Citrix Presentation Server to allow users to print to their local printer from published applications. A buffer overflow vulnerability has been reported in this component, this can be exploited by either: • A local API call • An unauthenticated RPC request This overflow could be used to execute arbitrary code in the context of the Local System account. This vulnerability is present in all versions of Citrix MetaFrame XP and Presentation Server up to and including 4.0. Mitigating Factors Access to the RPC interface would be needed to remotely exploit this issue. In typical deployments of Citrix Presentation Server this interface would not be externally accessible. What Customers Should Do A hotfix has been released to address both of these issues. Citrix recommends that affected customers install the hotfix which can be downloaded from the following locations: MetaFrame XP 1.0 for Windows 2000 Server: EN – http://support.citrix.com/article/CTX111648 FR – http://support.citrix.com/article/CTX111650 GE – http://support.citrix.com/article/CTX111651 JA – http://support.citrix.com/article/CTX111655 ES – http://support.citrix.com/article/CTX111653 MetaFrame XP 1.0 for Windows Server 2003: EN – http://support.citrix.com/article/CTX111657 FR – http://support.citrix.com/article/CTX111658 GE – http://support.citrix.com/article/CTX111659 JA – http://support.citrix.com/article/CTX111661 ES – http://support.citrix.com/article/CTX111660 MetaFrame Presentation Server 3.0 for Windows 2000 Server: EN – http://support.citrix.com/article/CTX111992 FR – http://support.citrix.com/article/CTX111993 GE – http://support.citrix.com/article/CTX111994 JA – http://support.citrix.com/article/CTX111996 ES – http://support.citrix.com/article/CTX111995 MetaFrame Presentation Server 3.0 for Windows Server 2003: EN – http://support.citrix.com/article/CTX111970 FR – http://support.citrix.com/article/CTX111972 GE – http://support.citrix.com/article/CTX111973 JA – http://support.citrix.com/article/CTX111971 ES – http://support.citrix.com/article/CTX111974 Citrix Presentation Server 4.0 for Windows 2000 Server: EN – http://support.citrix.com/article/CTX111949 FR – http://support.citrix.com/article/CTX111950 GE – http://support.citrix.com/article/CTX111951 JA – http://support.citrix.com/article/CTX111953 ES – http://support.citrix.com/article/CTX111952 Citrix Presentation Server 4.0 for Windows Server 2003: EN – http://support.citrix.com/article/CTX111925 FR – http://support.citrix.com/article/CTX111926 GE – http://support.citrix.com/article/CTX111927 JA – http://support.citrix.com/article/CTX111929 ES – http://support.citrix.com/article/CTX111928 Citrix Presentation Server 4.0 for Windows Server 2003 x64 Editions: EN – http://support.citrix.com/article/CTX111643 FR – http://support.citrix.com/article/CTX111645 GE – http://support.citrix.com/article/CTX111644 JA – http://support.citrix.com/article/CTX111654 ES – http://support.citrix.com/article/CTX111652 Acknowledgements Citrix thanks TippingPoint and the Zero Day Initiative for working with us to protect customers. What Citrix Is Doing Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://support.citrix.com/. Obtaining Support on this Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/. Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to [email protected] containing the exact version of the product in which the vulnerability was found and steps to reproduce the vulnerability. |