Description of Problem
A vulnerability has been identified in Citrix XenDesktop that could result in a user gaining unauthorized interactive access to another user’s desktop.
This vulnerability affects a specific, non-default configuration of Citrix XenDesktop 7 (all versions up to and including 7.5), Citrix XenDesktop 5 (up to and including Rollup 5.6.300 for Citrix XenDesktop 5.6 FP1) and Citrix XenDesktop 4 (all versions).
This vulnerability only affects Citrix XenDesktop deployments that use pooled random desktop groups and where the broker configuration setting ShutdownDesktopsAfterUse is set to disabled. Configurations that only use assigned desktop groups, including RemotePC access scenarios and user-dedicated desktops, are not affected by this issue.
This vulnerability has been assigned the following CVE number:
• CVE-2014-4700: Vulnerability in Citrix XenDesktop versions 7.x, 5.x and 4.x could result in unauthorized access to another user’s desktop.
The configuration setting ShutdownDesktopsAfterUse is enabled by default in configurations that use pooled desktops groups to reset the disk image and clean the desktop. For more details, please see the following Citrix Knowledgebase article:
What Customers Should Do
Updates to Citrix XenDesktop have been released to address this issue. Citrix strongly recommends that affected customers apply these updates as soon as possible.
The hotfixes for Citrix XenDesktop 7.1 and 7.5 can be downloaded from the following locations:
A VDA Rollup for Citrix XenDesktop 5.6 FP1 can be downloaded from the following location:
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix