CVE-2016-9111 Information

Description

Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208 the vendor could not reproduce the issue stating \the researcher was unable to provide us with information that would allow us to confirm the behaviour and despite extensive investigation on test deployments of supported products we were unable to reproduce the behaviour as he described. The researcher has also despite additional requests for information ceased to respond to us.\

CVSS Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/94229 http://www.securitytracker.com/id/1037176 https://packetstormsecurity.com/files/139493/Citrix-Receiver-Receiver-Desktop-Lock-4.5-Authentication-Bypass.html https://vuldb.com/?id.93250 https://www.exploit-db.com/exploits/40686/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.8