Notice to Customers Regarding Revocation of Code Signing Certificate

July 29, 2013

We recently discovered a potential security issue related to a Citrix code signing certificate used to sign four limited release hotfixes for Citrix StoreFront and CloudPortalTM Services Manager. Today we are publishing updates to these hotfixes, and we will revoke the affected certificate shortly.  The revocation impacts a limited number of customers who downloaded the specific hotfixes after January 11, 2013 and does not impact any other Citrix product or service.

Here is what happened

Earlier this year, our IT security team detected suspicious activity on our internal network.  We promptly engaged an industry-leading security incident response management firm to launch a comprehensive forensic review of our network infrastructure to help us determine the nature of the unauthorized activity and recommend corresponding security responses.

This firm recently completed its review, which uncovered evidence that a code signing certificate located on one of our servers was accessed by an unauthorized party.  While the review indicated that the certificate was extracted from the certificate store on the accessed server, we have found no evidence that the certificate was removed from that server or from our network, nor has been misused by any third party.

Further, there is no evidence that any other third party authenticated certificate located on our network has been compromised, or that personally-identifiable information or customer information of any kind was compromised. 

Enhanced security measures

Based on the conclusions of our forensic investigation, we have undertaken a number of remediation steps to enhance the security surrounding Citrix code signing certificates.

  • After learning of the unauthorized access to our code signing server, we immediately decommissioned that server and acquired new certificates for future use.
  • We are revoking the affected certificate. Because this certificate was used to sign only four PowerShell hotfixes for Citrix StoreFront and CloudPortal Services Manager – and not any other Citrix product or service – most customers should not experience interruptions or notice anything out of the ordinary as a result of the certificate revocation.
  • We recognize the importance of adapting to a threat landscape that is constantly evolving. To that end, we have taken further steps to prevent unauthorized access to our network, including installing additional monitoring and defensive technologies to further enhance our security posture, and implementing measures to augment the security of Citrix code signing certificates.

What this means to our customers

Today we re-published the PowerShell hotfixes signed using the impacted certificate to ensure that Citrix StoreFront and CloudPortal Services Manager users who downloaded the hotfixes can continue to use these services without interruption following the revocation. These users must download the updates in order to ensure continued service functionality following the revocation.

If you are a Citrix StoreFront or CloudPortal Services Manager user, please refer to the StoreFront and CloudPortal sections below for details on what this means for your current installation and what corrective steps (if any) you should take. Again, if you are a Citrix StoreFront or CloudPortal Services Manager user and have not installed hotfixes after January 11, 2013, you do not need to take any action.

The revocation of the compromised certificate for all code signed after January 1, 2013 is planned for 5:00 p.m. PDT on Monday, August 5, 2013.  The certificate revocation will be included in the certificate revocation list (CRL) published by VeriSign.

Our commitment to the highest standards of privacy and security

While we believe the risk arising from this incident has been significantly mitigated by our program of active monitoring and intervention, the fact that this happened at all shows that sophisticated cyber threats are an ongoing and meaningful challenge across all sectors of the economy, including our industry. 

We believe that our actions have addressed this incident, and our ongoing initiatives significantly decrease the potential for recurrence. We must always be vigilant and ensure we are continually improving our procedures and practices.

Our team directly responsible for IT security stays on top of the latest advancements in security technologies and techniques, and we continuously work at hardening our server infrastructure, preparing for a range of possible contingencies, and enhancing overall network security on your behalf.

If you have questions regarding the certificate revocation or wish to contact our customer care professionals, please email certquestions@citrix.com.

 

StoreFront

The affected StoreFront updates are:

  • LIMITED RELEASE - Receiver Storefront 1.2 Update 1 for Web Receiver Add-in 
  • LIMITED RELEASE - Receiver Storefront 1.2 Update 1 for Receiver Storefront Add-in

Please note that you only need to take action if you have installed one of the updates listed above.

How do I know if I have previously installed these updates?

  • Go to Control Panel – Programs and Features – Uninstall a program
  • If you have installed LIMITED RELEASE - Receiver Storefront 1.2 Update 1 for Web Receiver Add-in, you will see Citrix Receiver for Web Add-In – Version 1.2.1.3
Citrix Receiver for Web Add-In 1.2.1.3
  • If you have installed: LIMITED RELEASE - Receiver Storefront 1.2 Update 1 for Receiver Storefront Add-in, you will see Citrix StoreFront Add-In – Version 2.2.2.3
Storefront Add-In 2.2.3.2
  • If you have installed both updates, you will see:
    Citrix Receiver for Web Add-In – Version 1.2.1.3
    and
    Citrix StoreFront Add-In – Version 2.2.2.3
Receiver and Storefront add-ins 1.2.2.2

If I have these hotfixes, and the certificate is revoked, what will I see?

  • Please note that end users are not affected and can login and launch applications and desktops.  Rather the errors will occur in the StoreFront 1.2 MMC console.  It will not run and you will see the following error messages.
MMC has detected an error in a snap-in and will unload it.
MMC cannot initiate the snap-in.

If you run a StoreFront 1.2 script within Windows PowerShell itself, you will get “A certificate was explicitly revoked by its issuer” message as follows.

PS C:\Program Files\Citrix\Receiver Storefront\Script>

How do I fix it?

Remediating the issues simply requires downloading the new hotfixes.

  • Download and install the new updates signed with the newly issued certificate.  You do not need to uninstall the previous updates first.
  • For Receiver Storefront 1.2 Update 2 for Web Receiver Add-in go to http://support.citrix.com/article/CTX138462 and follow the installation instructions.
  • For Receiver Storefront 1.2 Update 2 for Receiver Storefront Add-in go to http://support.citrix.com/article/CTX138463 and follow the installation instructions.

How can I tell if the updated hotfixes are installed?

  • Go to Control Panel – Programs and Features – Uninstall a program
  • If you have successfully applied the latest update, Receiver Storefront 1.2 Update 2 for Web Receiver Add-in, you will see Citrix Receiver for Web Add-In – Version 1.2.2.2
Citrix Receiver for Web Add-In 1.2.2.2
  • If you have successfully applied the latest update, Receiver Storefront 1.2 Update 2 for Receiver Storefront Add-in, you will see Citrix StoreFront Add-in – Version 2.2.3.2
Storefront Add-In 2.2.3.2
  • If you have successfully installed the latest of both updates, you will see:
    Citrix Receiver for Web Add-in – Version 1.2.2.2
    and
    Citrix StoreFront Add-in – Version 2.2.3.2
Receiver and Storefront add-ins 1.2.2.2

CloudPortal Services Manager

The affected CloudPortal Services Manager (CPSM) updates are:

  • LIMITED RELEASE - CPSM v10 CU2-v2 
  • LIMITED RELEASE - CPSM v10 CU3

If either of these updates have been successfully installed, you do not need to take any action. The certificate revocation will only affect you during the installation of the original updates.

How do I know if I am trying to install an affected CloudPortal update?

When applying LIMITED RELEASE - CPSM v10 CU2-v2 or LIMITED RELEASE - CPSM v10 CU3 once the certificate has been revoked, the following error is produced when performing step 3c.

Step 3c:

3. Databases

a. Back up the OLM, OLMReports & ExchangeLogs databases*
*This step is key to being able to roll back from the update (if required) and must be performed.
b. Open PowerShell and run: Set-ExecutionPolicy AllSigned Process
c. Use C:\CPSMCU3\deployscripts.ps1 as a user with permissions on the DB to run the SQL files

From a PowerShell command prompt, run “help .\deployscripts –Full” to see additional information about the script.

Error:

“A certificate was explicitly revoked by its issuer.”

If I have an issue due to the revoked certificate, how will I know?

You will only encounter an issue during an attempted installation of the previous hotfix version.  Installation will fail as outlined above.  There will be no error in your environment or CloudPortal Services Manager install.

How do I fix it?

  • LIMITED RELEASE - CPSM v10 CU2-v2 and LIMITED RELEASE - CPSM v10 CU3 have been superseded by LIMITED RELEASE - CPSM v10 CU3-v2. You should obtain LIMITED RELEASE - CPSM v10 CU3-v2 and apply that instead.
  • To obtain LIMITED RELEASE - CPSM v10 CU3-v2, please contact the Citrix CPSM Support Team (http://support.citrix.com/cms/kc/cloudportalservicesmanager). Obtaining this hotfix requires your entitlement to support for CPSM. This is due to the complex nature of the hotfix as it will update a number of core components.
  • CPSM is supported only for CSP Partners who have an active CSP 5 Incident Pack. CPSM is not currently part of any Citrix partner entitlements or preferred support agreements.

More information:

Participe en nuestra corta encuesta y tendrá la oportunidad de ganar un iPad Mini o un Nexus 7.

La encuesta se abrirá en una ventana nueva para que pueda continuar navegado por el sitio web.

Participar en la encuesta No, gracias

Reglas para concursos en línea