NVD Vulnerability Detail

CVE-2016-9111

Summary	Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue, stating "the researcher was unable to provide us with information that would allow us to confirm the behaviour and, despite extensive investigation on test deployments of supported products, we were unable to reproduce the behaviour as he described. The researcher has also, despite additional requests for information, ceased to respond to us."
Publication Date	Nov. 7, 2016, 8:59 p.m.
Registration Date	Jan. 26, 2021, 2:19 p.m.
Last Update	Nov. 21, 2024, noon

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:citrix:receiver_desktop:4.5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/94229	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/94229	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1037176
4	http://www.securitytracker.com/id/1037176
5	https://packetstormsecurity.com/files/139493/Citrix-Receiver-Receiver-Desktop-Lock-4.5-Authentication-Bypass.html	Exploit Third Party Advisory VDB Entry
6	https://packetstormsecurity.com/files/139493/Citrix-Receiver-Receiver-Desktop-Lock-4.5-Authentication-Bypass.html	Exploit Third Party Advisory VDB Entry
7	https://vuldb.com/?id.93250	Third Party Advisory VDB Entry
8	https://vuldb.com/?id.93250	Third Party Advisory VDB Entry
9	https://www.exploit-db.com/exploits/40686/	Exploit Third Party Advisory VDB Entry
10	https://www.exploit-db.com/exploits/40686/	Exploit Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-284	不適切なアクセス制御	https://cwe.mitre.org/data/definitions/284.html
2	CWE-254	セキュリティ機能	https://cwe.mitre.org/data/definitions/254.html

JVN Vulnerability Information

Citrix Receiver Desktop Lock の不正なアクセス制御メカニズムにおける認証要求を回避される脆弱性

Title	Citrix Receiver Desktop Lock の不正なアクセス制御メカニズムにおける認証要求を回避される脆弱性
Summary	Citrix Receiver Desktop Lock の不正なアクセス制御メカニズムには、認証要求を回避される脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-254: Security Features (セキュリティ機能)、および CWE-284: Improper Access Control (不適切なアクセス制御) と識別されています。 https://cwe.mitre.org/data/definitions/254.html https://cwe.mitre.org/data/definitions/284.html
Possible impacts	攻撃者により、LAN ケーブルの一時的な切断に対して VDI への物理的なアクセスを利用されることで、認証要求を回避される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 27, 2016, midnight
Registration Date	Nov. 8, 2016, 5:49 p.m.
Last Update	Nov. 8, 2016, 5:49 p.m.

Affected System

シトリックス・システムズ

Citrix Receiver Desktop Lock 4.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-9111	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9111
National Vulnerability Database (NVD)
2	CVE-2016-9111	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9111

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
Citrix
1	Citrix Receiver	https://www.citrix.co.jp/go/receiver.html
2	Citrix Receiver Desktop Lock	https://docs.citrix.com/ja-ja/receiver/windows/4-3/receiver-windows-desktop-lock.html

その他

No	Name	URL
関連文書
1	Citrix Receiver / Receiver Desktop Lock 4.5 Authentication Bypass	https://packetstormsecurity.com/files/139493/Citrix-Receiver-Receiver-Desktop-Lock-4.5-Authentication-Bypass.html

Change Log

No	Changed Details	Date of change
0	[2016年11月08日] 掲載	Feb. 17, 2018, 10:37 a.m.