Vigil@nce - Citrix Password Manager: information disclosure


we track for your security since 1999

resources

Vigil@nce describes vulnerabilities impacting your systems, and offers solutions to correct them.

recent vulnerabilities

tracked products

RSS feed

vulnerability

vulnerability announce 8742 Citrix Password Manager: information disclosure
Synthesis of the vulnerability

An authenticated attacker can obtains his own secondary credentials used by Citrix Password Manager.

Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Means of attack: no proof of concept, no attack.
Ability of attacker: expert (4/4).
Confidence: confirmed by the editor (5/5).
Diffusion of the vulnerable configuration: high (3/3).
Creation date: 28/05/2009.

Impacted products

Citrix XenApp

Description of the vulnerability

The Citrix Password Manager product manages authentication of users. Each user authenticates on Citrix Password Manager, and can then connect to another service requiring an authentication. The second login and password ("secondary credentials") is provided by Citrix Password Manager.

The administrator can configure Citrix Password Manager in order to forbid users to have access to their secondary credentials.

However, a vulnerability of Citrix Password Manager can be used by a user to read his own secondary credentials. Technical details are unknown.

An authenticated attacker can therefore directly connect to the service using the second login and password.

Characteristics

Title: Citrix Password Manager: information disclosure
Identifiers: BID-35133, CTX120743, VIGILANCE-VUL-8742.
Url: https://vigilance.fr/tree/1/8742

Information sources

Publications and announces
Source example: Vulnerability in Citrix Password Manager could result in information disclosure

Solutions for this vulnerability

Patch or workaround