Consultant warns on Citrix deployment vulnerabilities

An IT security consultancy has today said that its testing of Citrix implementations has uncovered widespread vulnerability issues the application delivery vendor has failed to address.

The issue, first revealed to Citrix by Global Secure Systems (GSS) six months ago, has affected 100 per cent of deployments tested by the UK consultancy, leaving them vulnerable to arbitrary code execution.

Although the issues are not an issue with Citrix itself or its applications, GSS warned that the vulnerabilities it had uncovered were "potentially devastating" result of poor implementation of Citrix.

Robin Hollington, GSS director of consulting, told IT PRO that too many IT organisations install Citrix without comprehensive knowledge of the design and management of the Citrix environment and careful consideration of how to mitigate risk.

Having discovered the issues and then noticed more discussion of them in hacker communities, GSS decided to publicise details from the findings of its Citrix Environment Security Assessment (CESA), developed in response to possible attack methods it identified.

The ongoing GSS assessments have found more than 80 per cent of deployments exposed commercially sensitive data and many breached Data Protection Act requirements.

It further found standard security procedures were not applied to most Citrix deployments, in environments ranging from Citrix for Windows NT 4.0 to the latest Citrix nFuse deployments on Windows 2003 Server.

Hollington added that, with very little specialist knowledge, a hacker could gain access to a poorly configured Citrix system in as little as 30 seconds. But, given the potential for misuse, GSS would not publish exact details of the CESA test methods undertaken.

He did give an example of the scale of the threat: "In a financial services company, we found a spreadsheet containing the domain admin passwords for each and every server. Our assessments prove that this information can be readily accessed with very little knowledge and easily leaked out of the business."

Hollington said Citrix do provide regularly updated hardening guides' for configuring their products. But he suggested IT organisations either don't use them or become lax in adhering to them after completing a few deployments.

And applying additional mitigation measures merely addressed the symptoms, not the causes and can often target expenditure in the wrong areas, he added.

Testing is therefore essential to identify the real issues and select the appropriate controls, said Hollington.

Citrix had not responded to a request for information at the time of writing.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.