Headline
CVE-2022-26355: Citrix Federated Authentication Service (FAS) Security Update
Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate’s private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.
CTX341587
{{tooltipText}}
Security Bulletin | Low | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
Description of Problem
An issue has been identified in Citrix Federated Authentication Service (FAS) which causes deployments that have been configured to store a registration authority certificate’s private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP).
This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.
CVE-ID
Description
Type
Pre-requisites
CVE-2022-26355
The registration authority certificate’s private key is stored in ‘Microsoft Software Key Storage Provider’ even if the Trusted Platform Module was selected
CWE-668: Exposure of Resource to Wrong Sphere
Local Administrator access to the FAS server
Certificates that were generated using the following versions of Citrix Federated Authentication Service are affected by this issue:
- Citrix Federated Authentication Service 7.17 - 10.6
These versions of FAS are included as part of Citrix Virtual Apps and Desktops 2106, and below, and XenApp / XenDesktop 7.17, and above.
Note that it is the version of FAS that was installed when the certificate was generated which determines if the deployment is affected and not the currently installed version.
Customers can determine if the registration authority certificate’s private key is currently being stored in the TPM by using the following PowerShell commands and reviewing the output:
Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 Get-FasAuthorizationCertificate -FullCertInfo -Address localhost
The PrivateKeyProvider field will be set to Microsoft Platform Crypto Provider if the registration authority certificate’s private key is stored in the TPM.
What Customers Should Do
The issue has been addressed in the following versions of Citrix Federated Authentication Service:
- Citrix Federated Authentication Service 10.7 and later versions
- Citrix Federated Authentication Service 7.24.4000 and later versions of 7.24
These versions of FAS are included as part of the following versions of Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2109 and later versions
- Citrix Virtual Apps and Desktops 1912 LTSR CU4 and later CU updates
Citrix recommends that affected customers assess the risk to their environments and, if appropriate, create a new registration authority certificate with the private key stored in the TPM. This can be done by either using the FAS administration console or by updating to a fixed version and then using the PowerShell commands. Installation instructions are available under configuration scenario example 2 at https://docs.citrix.com/en-us/federated-authentication-service/config-manage/private-key-protection.html.
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.
Subscribe to Receive Alerts
Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.
Disclaimer
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.
Changelog
Date
Change
2022-03-08
Initial Publication