vulnerability announce 8742

Citrix Password Manager: information disclosure

Synthesis of the vulnerability

An authenticated attacker can obtains his own secondary credentials used by Citrix Password Manager.

Severity: 1/4. Creation date: 28/05/2009.

Description of the vulnerability

The Citrix Password Manager product manages authentication of users. Each user authenticates on Citrix Password Manager, and can then connect to another service requiring an authentication. The second login and password ("secondary credentials") is provided by Citrix Password Manager. The administrator can configure Citrix Password Manager in order to forbid users to have access to their secondary credentials. However, a vulnerability of Citrix Password Manager can be used by a user to read his own secondary credentials. Technical details are unknown. An authenticated attacker can therefore directly connect to the service using the second login and password.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Citrix Password Manager: information disclosure. Keywords: Citrix Manager Password disclosure information. Identifiers: BID-35133, CTX120743, VIGILANCE-VUL-8742.

Information sources

Publications and announces Source example: Vulnerability in Citrix Password Manager could result in information disclosure

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities