Heartbleed – OpenSSL Vulnerability in a Citrix Enviornment

There is a lot of news and chatter going on around right now about the OpenSSL vulnerability Heartbleed. This is a critical issue. as documented here. So what is Heartbleed and what makes it so dangerous.

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

This is a very wide reaching issue and considered critical. Patching OpenSSL or products alone will not be enough to solve the issue. Your certificates would have to either be regenerated or rekeyed and depending on how your programs interact this may require additional work for programs that connect to each other such as XenDesktop connecting to a vSphere instance as it imports the certificate for trust so if you update vSphere certificate you also need to import your new vCenter certificate into XenDesktop.

Citrix has released a Security Advisory detailing the products affected by Heartbleed. Other vendors are also coming out with articles detailing their products affected such as VMware EMC and Cisco.  Per the Security Advisory released from Citrix most of the products that Citrix has in its portfolio are unaffected but check the article to confirm and they are still researching some of their products.

Many Citrix environments run on VMware vSphere and some versions such as vSphere 5.5 are affected by Heartbleed. XenDesktop (any version) as well as XenApp 7.x and higher are dependent on the certificate that vCenter uses. If you resolve the issue and regenerate the certificate for your vCenter, you will need to import the certificate into XenDesktop following these instructions again that were completed on the initial setup.

My general advice is to find and document the items in your environment that are affected and map out any dependencies and create an attack plan to resolve these as this is a major compromise in your security. If you aren’t sure of what those may be, reach out to your partners who may have detailed information on what to look for.


2 Responses to Heartbleed – OpenSSL Vulnerability in a Citrix Enviornment

  1. Really curious to see if/when we will get the all clear for XenServer.

  2. XenServer is unaffected by Heartbleed. The articles have been updated. I will also be updating my blog respectively soon.