Widespread Citrix vulnerabilities are due to implementation errors

So says security specialist Global Secure Systems (GSS), adding that, six months after vulnerabilities were exposed, nothing has changed. GSS emphasises that whilst this is not an issue with Citrix itself, nor its applications, it is the potentially devastating result of poor implementations of Citrix. Robin Hollington, director of consulting for GSS, explains that too many people install Citrix without good enough knowledge of the design and management of the Citrix environment, or careful consideration of how to mitigate risk. “Imagine how your board would feel if they discovered that a junior clerk had subverted controls to gain access to board members’ restricted network drives, had the freedom to browse through payroll, trading and research data, and the facility to export this and other sensitive information, such as business plans and customer databases, without being detected,” he says. “In a financial services company, we found a spreadsheet containing the domain admin passwords for each and every server, and the quotes, methodologies, terms and reports from a number of competitors. Our assessments prove that this information can be readily accessed with very little knowledge and easily leaked.” His assessment is that 100% of Citrix deployments tested have been vulnerable to arbitrary code execution; more than 80% of deployments exposed commercially sensitive data; many also breach Data Protection Act requirements; and standard security procedures were not applied to most Citrix deployments. Last year, the fastest breach took only 15 seconds after logging on to the service. In recent weeks this has been reduced to under 10 seconds, according to Hollington. Even in the most locked-down environment GSS ever encountered, five high-risk vulnerabilities were discovered. These were the result, he says, of small errors made in configuration. “Typically many more such errors are found, any one of which could lead to the network being compromised. “Most recently, in a very well hardened implementation where there were very few issues initially, GSS was able to write and run a Java port scanning tool, leading to the discovery of the entire network and DR configuration and admin passwords.” Hollington says that although hardening guides are useful, simply working from these is not sufficient to secure the Citrix/Windows environment. Even a single, small, overlooked opening can be exploited to give high-risk access. “Although Citrix update their guides regularly, GSS still sees problems and can only assume they are not being adequately followed. Furthermore, applying additional mitigation measures merely addresses the symptoms, not the causes, and can often target expenditure in the wrong areas. Testing is essential to identify the real issues and select the appropriate controls,” he says.