CVE-2015-0235 - Citrix Security Advisory for glibc GHOST Vulnerability

Overview

A vulnerability has been recently disclosed in the glibc gethostbyname() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue is known as the GHOST vulnerability and has been assigned the following CVE identifier:

CVE-2015-0235: _ <https://vulners.com/cve/CVE-2015-0235&gt;_

The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.

A number of Citrix products incorporate Linux components. The following sections provide guidance on the impact and mitigation steps for these products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.

Citrix NetScaler MPX and VPX, and all Windows based components of XenDesktop and XenApp, do not include or use the vulnerable function and are therefore not impacted by this issue.

What Citrix Is Doing

Citrix is in the process of analyzing the potential impact of this issue on currently supported products that include the vulnerable component. The following section of this advisory provides more information on each product.

Products That May Include The Vulnerable Component:

Citrix XenServer

Citrix XenServer does include a vulnerable version of glibc but at present there is no known route by which a guest virtual machine would be able to invoke the vulnerable functionality through the hypervisor interface. As a defence in depth measure, Citrix has released a hotfix that updates the version of glibc present in XenServer. This is available at the following address: <https://support.citrix.com/article/CTX200437&gt;

Citrix NetScaler SDX

The NetScaler SDX service VM (SVM) and NetScaler virtual appliances (VPX) running on SDX appliance do not contain the vulnerable component and, as such, are not directly vulnerable to this issue. NetScaler SDX uses a version of XenServer which includes the vulnerable glibc component. At present there is no known route by which the issue could be exploited on the SDX platform.

Citrix XenMobile

Citrix XenMobile MDM functionality (both on-premise and cloud installations) is not impacted by this vulnerability. Citrix XenMobile Server 10.x is not impacted by this vulnerability.

The following versions of XenMobile AppController are impacted by this vulnerability:

• Citrix XenMobile App Controller 9.0 Rolling Patch 6 and earlier

To address this vulnerability, customers should apply Citrix XenMobile App Controller 9.0 Rolling Patch 7 or later. This update is available at the following address: <https://support.citrix.com/article/CTX207571&gt;

Citrix Licensing

Currently supported versions of the Citrix License Server VPX are impacted by this vulnerability.

To address this issue, Citrix recommends that customers log in to the License Server console and update the VPX using the following command from the command line:

yum update

Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.

Citrix CloudPlatform

The following versions of Citrix CloudPlatform are impacted by this vulnerability:

• Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2.
• Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6.
• Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including version 3.0.7 Patch G.

Citrix CloudPlatform 4.5 does include a vulnerable version of glibc but we do not believe that a valid route to exploit exists.

To address this vulnerability, customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: <https://support.citrix.com/article/CTX200024&gt;

Citrix XenClient Enterprise

Analysis of the impact to XenClient Enterprise is in progress. This section will be updated as soon as additional information is available

Citrix ByteMobile Traffic Director (T1000 series systems)

ByteMobile Traffic Director is not affected by this vulnerability.

Citrix ByteMobile Video Cache (T2000 series systems)

ByteMobile Video Cache does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.

Citrix ByteMobile Adaptive Traffic Manager (T3000 series systems)

ByteMobile Adaptive Traffic Manager does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.

Citrix VDI-In-A-Box

The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:

Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html&gt;

Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html&gt;

Citrix Command Center

Citrix Command Center is impacted by this vulnerability. A new version of the product, 5.2 Build 44.8, has been released to address this vulnerability. This can be found at the following address:

<https://www.citrix.com/downloads/command-center.html&gt;

The above list will be updated as the analysis into this issue progresses.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date	Change
January 28th 2015	Initial bulletin publishing
February 3rd 2015	Update to XenMobile section
February 18th 2015	Update to XenServer section
February 23rd 2015	Addition of ByteMobile sections
March 4th 2015	Update to CloudPlatform section
March 18th 2015	Addition of VDI-In-A-Box section
April 28th 2015	Update to Licensing section
May 11th 2015	Update to NetScaler SDX section
June 18th 2015
Update to VDI-In-A-Box section
October 13th 2015	Addition of Command Center section
May 5th 2016	Update to XenMobile section
May 9th 2016	Clarify XenMobile section