Rule

--
Sid
9325

--
Summary:
This event is generated when an attempt is made to cause a Denial of Service (DoS) in Citrix IMA.

--
Impact:
Denial of Service (DoS)

--
Detailed Information:
The Citrix MetaFrame product line is managed by the Independent Management Architecture (IMA).  Management connections to this service occur over TCP port 2513.  Messages to this service begin with the following format:

0x0000 0x04 Message size in bytes (includes size field)
0x0004 0x04 Unknown field
0x0008 0x04 Event Data Length
0x000C 0x10 Other event headers
0x001C 0x02 Event ID
0x001E 0x02 Data Version
0x0020 0x01 Header Version
0x0021 0x01 flag
0x0022 0x02 Description Length
0x0024 BEGIN ENCRYPTED DATA

If the message is of size 0x1c (both in reality, and in the message size field) and the event data length is 0, the message will pass the validity checks and be passed to the to a function that will attempt to process the event header. However, because it doesn't exist, the program will access invalid data areas and a memory access violation may occur.

--
Affected Systems:
Citrix Presentation Server 4.0
Citrix MetaFrame Presentation Server 4.0
Citrix MetaFrame Presentation Server 3.0
Citrix MetaFrame XPs
Citrix MetaFrame XPe
Citrix MetaFrame XPa
Citrix MetaFrame XP SP2
Citrix MetaFrame XP SP1
Citrix MetaFrame XP

--
Attack Scenarios:
An attacker would need to supply malformed data to the Cisco MetaFrame server.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches.

Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Vulnerability Research Team
Matthew Olney <matthew.olney@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--
