Title: Citrix MetaFrame Password Manager Failure To Encrypt Application Password Vulnerability
Severity: LOW
Description:
MetaFrame is a remote desktop software package distributed by Citrix. A vulnerability in MetaFrame Password Manager is reported to exist that may result in a failure to properly encrypt application passwords.
The issue is reported to present itself in the circumstance where an application password is entered subsequent to the "First Time Use Wizard" and no sync point has been defined for the software. The MetaFrame Password Manager software will encode the password but it will not be encrypted, this may permit a local attacker to recover the unencrypted credentials from the local credential store. It should be noted that the local credential store database may be protected by Windows ACL's and as a result of this the attacker will require sufficient privileges to read the local credential store prior to exploiting this issue.
It should be noted that attempts to employ this password in any procedure would fail; this may present an indication to an administrator that the vulnerability exists.
Affected Products:
- Citrix MetaFrame Password Manager 2.0.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
