We recently discovered a potential security issue related to a Citrix code signing certificate used to sign four limited release hotfixes for Citrix StoreFront and CloudPortalTM Services Manager. Today we are publishing updates to these hotfixes, and we will revoke the affected certificate shortly. The revocation impacts a limited number of customers who downloaded the specific hotfixes after January 11, 2013 and does not impact any other Citrix product or service.
Earlier this year, our IT security team detected suspicious activity on our internal network. We promptly engaged an industry-leading security incident response management firm to launch a comprehensive forensic review of our network infrastructure to help us determine the nature of the unauthorized activity and recommend corresponding security responses.
This firm recently completed its review, which uncovered evidence that a code signing certificate located on one of our servers was accessed by an unauthorized party. While the review indicated that the certificate was extracted from the certificate store on the accessed server, we have found no evidence that the certificate was removed from that server or from our network, nor has been misused by any third party.
Further, there is no evidence that any other third party authenticated certificate located on our network has been compromised, or that personally-identifiable information or customer information of any kind was compromised.
Based on the conclusions of our forensic investigation, we have undertaken a number of remediation steps to enhance the security surrounding Citrix code signing certificates.
Today we re-published the PowerShell hotfixes signed using the impacted certificate to ensure that Citrix StoreFront and CloudPortal Services Manager users who downloaded the hotfixes can continue to use these services without interruption following the revocation. These users must download the updates in order to ensure continued service functionality following the revocation.
If you are a Citrix StoreFront or CloudPortal Services Manager user, please refer to the StoreFront and CloudPortal sections below for details on what this means for your current installation and what corrective steps (if any) you should take. Again, if you are a Citrix StoreFront or CloudPortal Services Manager user and have not installed hotfixes after January 11, 2013, you do not need to take any action.
The revocation of the compromised certificate for all code signed after January 1, 2013 is planned for 5:00 p.m. PDT on Monday, August 5, 2013. The certificate revocation will be included in the certificate revocation list (CRL) published by VeriSign.
While we believe the risk arising from this incident has been significantly mitigated by our program of active monitoring and intervention, the fact that this happened at all shows that sophisticated cyber threats are an ongoing and meaningful challenge across all sectors of the economy, including our industry.
We believe that our actions have addressed this incident, and our ongoing initiatives significantly decrease the potential for recurrence. We must always be vigilant and ensure we are continually improving our procedures and practices.
Our team directly responsible for IT security stays on top of the latest advancements in security technologies and techniques, and we continuously work at hardening our server infrastructure, preparing for a range of possible contingencies, and enhancing overall network security on your behalf.
If you have questions regarding the certificate revocation or wish to contact our customer care professionals, please email firstname.lastname@example.org.
The affected StoreFront updates are:
If you run a StoreFront 1.2 script within Windows PowerShell itself, you will get “A certificate was explicitly revoked by its issuer” message as follows.
Remediating the issues simply requires downloading the new hotfixes.
The affected CloudPortal Services Manager (CPSM) updates are:
When applying LIMITED RELEASE - CPSM v10 CU2-v2 or LIMITED RELEASE - CPSM v10 CU3 once the certificate has been revoked, the following error is produced when performing step 3c.
a. Back up the OLM, OLMReports & ExchangeLogs databases*
*This step is key to being able to roll back from the update (if required) and must be performed.
b. Open PowerShell and run: Set-ExecutionPolicy AllSigned Process
c. Use C:\CPSMCU3\deployscripts.ps1 as a user with permissions on the DB to run the SQL files
From a PowerShell command prompt, run “help .\deployscripts –Full” to see additional information about the script.
“A certificate was explicitly revoked by its issuer.”
You will only encounter an issue during an attempted installation of the previous hotfix version. Installation will fail as outlined above. There will be no error in your environment or CloudPortal Services Manager install.