An IT security consultancy has today said that its testing of Citrix implementations has uncovered widespread vulnerability issues the application delivery vendor has failed to address.
The issue, first revealed to Citrix by Global Secure Systems (GSS) six months ago, has affected 100 per cent of deployments tested by the UK consultancy, leaving them vulnerable to arbitrary code execution.
Although the issues are not an issue with Citrix itself or its applications, GSS warned that the vulnerabilities it had uncovered were "potentially devastating" result of poor implementation of Citrix.
Robin Hollington, GSS director of consulting, told IT PRO that too many IT organisations install Citrix without comprehensive knowledge of the design and management of the Citrix environment and careful consideration of how to mitigate risk.
Having discovered the issues and then noticed more discussion of them in hacker communities, GSS decided to publicise details from the findings of its Citrix Environment Security Assessment (CESA), developed in response to possible attack methods it identified.
The ongoing GSS assessments have found more than 80 per cent of deployments exposed commercially sensitive data and many breached Data Protection Act requirements.
It further found standard security procedures were not applied to most Citrix deployments, in environments ranging from Citrix for Windows NT 4.0 to the latest Citrix nFuse deployments on Windows 2003 Server.
Hollington added that, with very little specialist knowledge, a hacker could gain access to a poorly configured Citrix system in as little as 30 seconds. But, given the potential for misuse, GSS would not publish exact details of the CESA test methods undertaken.
He did give an example of the scale of the threat: "In a financial services company, we found a spreadsheet containing the domain admin passwords for each and every server. Our assessments prove that this information can be readily accessed with very little knowledge and easily leaked out of the business."
Hollington said Citrix do provide regularly updated hardening guides' for configuring their products. But he suggested IT organisations either don't use them or become lax in adhering to them after completing a few deployments.
And applying additional mitigation measures merely addressed the symptoms, not the causes and can often target expenditure in the wrong areas, he added.
Testing is therefore essential to identify the real issues and select the appropriate controls, said Hollington.
Citrix had not responded to a request for information at the time of writing.
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Putting small language models under the microscopeITPro Podcast The benefits of small language models are undeniable – but they're no silver bullet
-
Citrix Bleed an “early Christmas present” for hackers as flaw claims latest victimNews Xfinity is the latest firm to fall victim to the Citrix Bleed vulnerability
-
Citrix Bleed remains out of control with thousands of appliances still vulnerableNews Thousands of organizations at risk of Citrix Bleed have still not patched, analysis suggests
-
What is Citrix Bleed and should you be worried?News A critical buffer over-read can expose sensitive information in affected devices
-
Patch-resistant autonomous exploits of Citrix NetScaler hardware hit thousands in EuropeNews More than 1,800 Citrix NetScaler devices still contained backdoors at the time of publication
-
Citrix discloses critical NetScaler Gateway vulnerabilityNews Users of affected products have been urged to implement patches immediately to mitigate risk
-
Citrix patches XenMobile vulnerabilityNews Positive Technologies spots serious flaw in Citrix XenMobile
-
Hackers are taking advantage of Citrix vulnerabilitiesNews Hackers discovered targeting corporate networks impacted by Citrix vulnerabilities
-
Citrix Synergy 2019: One year on GDPR is shaping the role of privacy in brand survivalIn-depth Despite big fines levied, Citrix’s privacy chief says we still don’t have a sense of what enforcement will look like
