A weakness has been reported in Citrix Presentation Server, which potentially can be exploited by malicious people to compromise a vulnerable system.

The problem is that published applications and potentially other applications can be launched when invoking an ICA connection to a Citrix Presentation Server. This can be exploited to e.g. launch published applications with specially crafted parameters on a Citrix Presentation Server when a user is tricked into visiting a malicious website or opening a malicious .ICA file.

Successful exploitation requires that the target user is authorized to execute the published application and that the Citrix Presentation Server is configured e.g. to allow parameters to be passed to published applications.

The weakness affects the following products:
* Access Essentials 1.0
* Citrix Access Essentials 1.5
* Citrix Access Essentials 2.0
* Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000
* Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003
* Citrix Presentation Server 4.0 for Microsoft Windows 2000
* Citrix Presentation Server 4.0 for Microsoft Windows 2003
* Citrix Presentation Server 4.0 x64 Edition
* Citrix Presentation Server 4.5 for Windows Server 2003
* Citrix Presentation Server 4.5 for Windows Server 2003 Feature Pack 1
* Citrix Presentation Server 4.5 for Windows Server 2003 x64 Edition

Solution
Apply Hotfix Rollup Pack 2 (see vendor's advisory for details).

Provided and/or discovered by
.ICA files launching published applications via the "InitialProgram" key originally reported by wirepair and recently discussed by pdp.

Changelog
Further details available in Customer Area

Original Advisory
CTX115245:
http://support.citrix.com/article/CTX115245

GNUCITIZEN:
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area