Foundstone Labs Advisory: Citrix MetaFrame Password Manager 2.0

From: Foundstone Labs (
Date: 04/06/04

  • Next message: Shaun Colley: "GNU Sharutils buffer overflow vulnerability."
    Date: Tue, 6 Apr 2004 10:30:54 -0700
    To: <>

    Foundstone Labs Advisory

    Advisory Name: Citrix MetaFrame Password Manager 2.0 credentials not
    encrypted under certain configurations
    Release Date: April 5, 2004
    Application: Citrix MetaFrame Password Manager 2.0
    Platforms: Windows 2000 and Windows XP
    Type: Information Disclosure
    Vendors: Citrix
    Vendor Advisory:
    Authors: Vijay Akasapu and David Wong


    The Citrix MetaFrame Password Manager 2.0 product provides
    enterprise-level single sign-on (SSO) functionality, enabling users
    to authenticate just once with a single set of credentials to gain
    access to a variety of applications, systems, and web sites that
    require secondary logons. The product accomplishes this by storing
    user's passwords in an encrypted database and automatically providing
    credentials to applications when needed. The credentials are normally
    encrypted using the 3DES algorithm in both the local and central
    store. However, if an administrator inadvertently fails to configure
    the Citrix MetaFrame Password Manager agent to point to a central
    credential store, the credentials will be stored in the local store

    Mitigating Factors:

    1. The local credential store is protected by Windows File Access
    Control Lists (ACLs) that restrict access to the user or

    2. The credentials are stored unencrypted only when a central
    credential store is not configured. This configuration is unlikely
    to be encountered in a typical production deployment of Citrix
    MetaFrame Password Manager

    3. Only credentials entered immediately after executing the
    First Time User Wizards are affected. Credentials entered
    subsequently are encrypted.

    Vendor Response:

    Foundstone's software security consulting group identified this
    vulnerability during a product security assessment of Citrix MetaFrame
    Password Manager 2.0. The assessment was commissioned by Citrix as
    part of their efforts to provide Citrix customers with more secure

    Citrix has issued a security bulletin and Hotfix MPME100W001 to
    address the vulnerability identified in this advisory. It is
    available at:


    Apply Hotfix MPME100W001 provided by Citrix. If no central
    credential store has been configured, the local credential store
    should be manually deleted before the system is patched.

    Administrators must ensure all deployments are configured with
    synchronization to a central credential store (either Active
    Directory or File Server).


    The information contained in this advisory is copyright (c) 2004
    Foundstone, Inc. and is believed to be accurate at the time of
    publishing. However, no representation of any warranty is given,
    expressed, or implied as to its accuracy or completeness. In no
    event shall the author or Foundstone be liable for any direct,
    indirect, incidental, special, exemplary or consequential damages
    resulting from the use or misuse of this information. This advisory
    may be redistributed, provided that no fee is assigned and that
    the advisory is not modified in any way.

    About Foundstone Foundstone Inc. addresses the security and
    privacy needs of Global 2000 companies with world-class Enterprise
    Vulnerability Management Software, Managed Vulnerability Assessment
    Services, Professional Consulting and Education offerings. The
    company has one of the most dominant security talent pools ever
    assembled, including experts from Ernst & Young, KPMG,
    PricewaterhouseCoopers, and the United States Defense Department.
    Foundstone executives and consultants have authored nine books,
    including the international best seller Hacking Exposed: Network
    Security Secrets & Solutions.

    Foundstone is headquartered in Orange County, CA, and has offices
    in New York, Washington, DC, San Antonio, and Seattle. For more
    information, visit or call 1-877-91-FOUND.

    Copyright (c) 2004 Foundstone, Inc. All rights reserved worldwide.

  • Next message: Shaun Colley: "GNU Sharutils buffer overflow vulnerability."