Foundstone Labs Advisory Advisory Name: Citrix MetaFrame Password Manager 2.0 credentials not encrypted under certain configurations Release Date: April 5, 2004 Application: Citrix MetaFrame Password Manager 2.0 Platforms: Windows 2000 and Windows XP Type: Information Disclosure Vendors: Citrix Vendor Advisory: http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256 Authors: Vijay Akasapu and David Wong Reference: http://www.foundstone.com/advisories Overview: The Citrix MetaFrame Password Manager 2.0 product provides enterprise-level single sign-on (SSO) functionality, enabling users to authenticate just once with a single set of credentials to gain access to a variety of applications, systems, and web sites that require secondary logons. The product accomplishes this by storing user's passwords in an encrypted database and automatically providing credentials to applications when needed. The credentials are normally encrypted using the 3DES algorithm in both the local and central store. However, if an administrator inadvertently fails to configure the Citrix MetaFrame Password Manager agent to point to a central credential store, the credentials will be stored in the local store unencrypted. Mitigating Factors: 1. The local credential store is protected by Windows File Access Control Lists (ACLs) that restrict access to the user or Administrator 2. The credentials are stored unencrypted only when a central credential store is not configured. This configuration is unlikely to be encountered in a typical production deployment of Citrix MetaFrame Password Manager 3. Only credentials entered immediately after executing the First Time User Wizards are affected. Credentials entered subsequently are encrypted. Vendor Response: Foundstone's software security consulting group identified this vulnerability during a product security assessment of Citrix MetaFrame Password Manager 2.0. The assessment was commissioned by Citrix as part of their efforts to provide Citrix customers with more secure software. Citrix has issued a security bulletin and Hotfix MPME100W001 to address the vulnerability identified in this advisory. It is available at: http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256 Recommendation: Apply Hotfix MPME100W001 provided by Citrix. If no central credential store has been configured, the local credential store should be manually deleted before the system is patched. Administrators must ensure all deployments are configured with synchronization to a central credential store (either Active Directory or File Server). Disclaimer: The information contained in this advisory is copyright (c) 2004 Foundstone, Inc. and is believed to be accurate at the time of publishing. However, no representation of any warranty is given, expressed, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way. About Foundstone Foundstone Inc. addresses the security and privacy needs of Global 2000 companies with world-class Enterprise Vulnerability Management Software, Managed Vulnerability Assessment Services, Professional Consulting and Education offerings. The company has one of the most dominant security talent pools ever assembled, including experts from Ernst & Young, KPMG, PricewaterhouseCoopers, and the United States Defense Department. Foundstone executives and consultants have authored nine books, including the international best seller Hacking Exposed: Network Security Secrets & Solutions. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, DC, San Antonio, and Seattle. For more information, visit www.foundstone.com or call 1-877-91-FOUND. Copyright (c) 2004 Foundstone, Inc. All rights reserved worldwide.