SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   MetaFrame Password Manager Vendors:   Citrix
Citrix MetaFrame Password Manager May Disclose Passwords to Local Users
SecurityTracker Alert ID:  1009659
SecurityTracker URL:  http://securitytracker.com/id/1009659
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 20 2004
Original Entry Date:  Apr 5 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0
Description:   A vulnerability was reported in the Citrix MetaFrame Password Manager. The software may store passwords in unencrypted form in certain situations.

Foundstone issued an advisory warning that Citrix MetaFrame Password Manager 2.0 authentication credentials may be stored in plain text in certain situations.

Ordinarily, the passwords are encrypted. However, if the agent is not configured with a central credential store (sync point) and a user runs the First Time User Wizard, the reported indicates that passwords entered immediately after running the wizard will not be encrypted for storage.

Impact:   The software may store passwords without encryption on the target system.
Solution:   The vendor has issued a revised fix (MPME200W001), available at:

http://support.citrix.com/kb/entry.jspa?entryID=4062

This revised fix replaces the previously issued fix (MPME100W001).

The vendor's advisory (document ID CTX103662) is available at:

http://support.citrix.com/kb/entry.jspa?entryID=4063&categoryID=254

Vendor URL:  support.citrix.com/kb/entry.jspa?entryID=4063&categoryID=254 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.foundstone.com/products/sa/fs-sa-04-05-04.pdf


http://www.foundstone.com/products/sa/fs-sa-04-05-04.pdf

Foundstone issued an advisory warning that Citrix MetaFrame Password Manager 2.0 
authentication credentials may be stored in plain text in certain situations.  Ordinarily, 
the passwords are encrypted.  However, if the agent is not configured with a central 
credential store (sync point) and a user runs the First Time User Wizard, the reported 
indicates that passwords entered immediately after running the wizard will not be 
encrypted for storage.

The vendor has issued a fix (MPME 100W001).  See document ID CTX103662, available at:

http://support.citrix.com/kb/entry.jspa?entryID=4063&categoryID=254

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC