Check Point Advisories

Citrix Program Neighborhood Agent Buffer Overflow (CVE-2004-1078)

Check Point Reference: CPAI-2005-230
Date Published: 24 Dec 2009
Severity: High
Last Updated: Thursday 24 December, 2009
Source:
Industry Reference:CVE-2004-1078
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description Citrix Presentation Server, formally known as Citrix MetaFrame, is designed for central application deployment. This package allows applications to be deployed and managed by a farm of dedicated servers and allow client machines to access the applications remotely. There exists a buffer overflow vulnerability in the Citrix Program Neighborhood Agent. The problem can be triggered by sending a crafted XML response to the affected client. Successful exploitation can allow for arbitrary code execution with the privileges of the current user. In an attack scenario, where arbitrary code is injected and executed on the target machine, the behavior of the target is dependent on the intended purpose of the malicious code. If such an attack is not executed successfully, the vulnerable application may terminate as a result of the attack attempt. In a simpler attack scenario, where arbitrary code injection was not attempted, the target application will terminate abnormally. As the vulnerable product caches the crafted XML file on the target system, the result of the attack will be repeated upon each restart attempt of the agent application. In order to successfully restart the vulnerable product, appdata.xml file under AppCache directory must be deleted first, otherwise the vulnerable product fails to restart.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Citrix Program Neighborhood Agent Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Citrix ICA Protection Violation.
Attack Information:  Citrix Program Neighborhood agent buffer overflow

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK