Update Protection against Citrix Provisioning Services streamprocess.exe Stack Buffer Overflow Vulnerability
|Check Point Reference:||CPAI-2011-250|
|Source:||Secunia Advisory: SA42954|
|Protection Provided by:||
Who is Vulnerable?
Citrix Systems Provisioning Services 5.6 and prior
A stack buffer overflow vulnerability has been reported in Citrix Provisioning Service. Citrix Provisioning Service allows computers to obtain application from the network in real-time. Administrators can prepare a master device for imaging purposes by creating a vDisk image that would be stored on a Provisioning Server. Then, this vDisk would be used by devices to boot directly from the network. A remote attacker may exploit this vulnerability to execute code on an affected system.
The vendor, Critix, has released an advisory addressing this vulnerability.
The vulnerability is due to a boundary error when handling a specially crafted packet to the Provisioning Services server. A remote attacker could exploit this issue by sending a malicious packets to the target service. Successful exploitation of this vulnerability may allow remote attackers to execute arbitrary code on the target machine within the security context of the service, and may cause the vulnerable server to terminate abnormally.
This protection will detect and block specially crafted packets sent to the Provisioning Services server.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection taband select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Security Gateway: R75
How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Application Servers.
2. In the right pane, double-click the Citrix Provisioning Services streamprocess.exe Stack Buffer Overflow protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Application Servers Protection Violation
Attack Information:Citrix Provisioning Services streamprocess.exe stack buffer overflow