Foundstone Labs Advisory

Advisory Name: Citrix MetaFrame Password Manager 2.0 credentials not
encrypted under certain configurations
Release Date: April 5, 2004
Application: Citrix MetaFrame Password Manager 2.0
Platforms: Windows 2000 and Windows XP
Type: Information Disclosure
Vendors: Citrix
Vendor Advisory:
http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256
Authors: Vijay Akasapu and David Wong
Reference: http://www.foundstone.com/advisories

Overview:

The Citrix MetaFrame Password Manager 2.0 product provides
enterprise-level single sign-on (SSO) functionality, enabling users
to authenticate just once with a single set of credentials to gain
access to a variety of applications, systems, and web sites that
require secondary logons. The product accomplishes this by storing
user's passwords in an encrypted database and automatically providing
credentials to applications when needed. The credentials are normally
encrypted using the 3DES algorithm in both the local and central
store. However, if an administrator inadvertently fails to configure
the Citrix MetaFrame Password Manager agent to point to a central
credential store, the credentials will be stored in the local store
unencrypted. 

Mitigating Factors:

1. The local credential store is protected by Windows File Access
Control Lists (ACLs) that restrict access to the user or
Administrator

2. The credentials are stored unencrypted only when a central
credential store is not configured. This configuration is unlikely
to be encountered in a typical production deployment of Citrix
MetaFrame Password Manager

3. Only credentials entered immediately after executing the
First Time User Wizards are affected. Credentials entered
subsequently are encrypted.

Vendor Response:

Foundstone's software security consulting group identified this
vulnerability during a product security assessment of Citrix MetaFrame
Password Manager 2.0. The assessment was commissioned by Citrix as
part of their efforts to provide Citrix customers with more secure
software. 

Citrix has issued a security bulletin and Hotfix MPME100W001 to
address the vulnerability identified in  this advisory. It is
available at:
http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256 

Recommendation:

Apply Hotfix MPME100W001 provided by Citrix. If no central
credential store has been configured, the local credential store
should be manually deleted before the system is patched.

Administrators must ensure all deployments are configured with
synchronization to a central credential store (either Active
Directory or File Server).

Disclaimer:

The information contained in this advisory is copyright (c) 2004
Foundstone, Inc. and is believed to be accurate at the time of
publishing. However, no representation of any warranty is given,
expressed, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential damages
resulting from the use or misuse of this information. This advisory
may be redistributed, provided that no fee is assigned and that
the advisory is not modified in any way.

About Foundstone Foundstone Inc. addresses the security and
privacy needs of Global 2000 companies with world-class Enterprise
Vulnerability Management Software, Managed Vulnerability Assessment
Services, Professional Consulting and Education offerings. The
company has one of the most dominant security talent pools ever
assembled, including experts from Ernst & Young, KPMG,
PricewaterhouseCoopers, and the United States Defense Department.
Foundstone executives and consultants have authored nine books,
including the international best seller Hacking Exposed: Network
Security Secrets & Solutions.

Foundstone is headquartered in Orange County, CA, and has offices
in New York, Washington, DC, San Antonio, and Seattle. For more
information, visit www.foundstone.com or call 1-877-91-FOUND.

Copyright (c) 2004 Foundstone, Inc. All rights reserved worldwide.