A vulnerability has been identified in Citrix Licensing that could allow a remote, unauthenticated attacker to crash the License Server and potentially execute arbitrary code on the server.
- Citrix License Server for Windows versions prior to 22.214.171.124
- Citrix License Server VPX versions prior to 126.96.36.199
- Citrix CloudBridge
- Citrix NetScaler SVM
- Citrix NetScaler Insight Center
- Citrix ByteMobile
- Citrix XenMobile
- XenMobile Server 10.3.x
- XenMobile Server 10.1.x
- XenMobile Server 10.0.x
- XenMobile Device Manager 9.0
A vulnerability has been identified in Citrix Licensing that could allow a remote, unauthenticated attacker to crash the License Server and potentially execute arbitrary code on the server. Details of this vulnerability is as follows:
Certain remote message parsing functions inside the FlexNet Publisher daemon use a custom string copy function that does not provide proper bounds checking on incoming data. This allows for specially crafted messages to cause a stack buffer overflow. It was also found that the same vulnerable code is packaged into all customer binaries produced by the FlexNet Publisher. [CVE-2015-8277]
- After appropriate testing apply applicable updates provided by Citrix to vulnerable systems.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.