Internal systems might be compromised if those without a comprehensive knowledge of its workings install Citrix. GSS found that all the 50 Citrix deployments it tested were vulnerable to arbitrary code execution.
Also, more than 80 percent exposed commercially sensitive data. Many cases breached the Data Protection Act, and standard security procedures had not been applied to most deployments.
GSS penetration testers, who have sent their findings on to Fort Lauderdale, Fla.-based Citrix, discovered a spreadsheet that held the domain admin passwords for every server at a financial services company, plus quotations, methodologies, terms of business and reports from a number of the firm's competitors. Of the firms tested, 20 were in the financial services sector.
Robin Hollington, director of consulting for GSS, said the unencrypted information was in a folder protected by access rules.
He said: “Using the access rules we had acquired at the time, we were able to read the information, including passwords, which gave us system administrator access to every server [several hundred] in the organization. That level of access not only gave us complete control of their systems, but we could have deleted any audit trail we might have left.”
The problem does not lie with Citrix, but rather with its implementation, said Hollington. He advised users to ensure that they are familiar with how to lock down the system and recommended confining access to specific roles.
Last year, the swiftest breach occurred within 15 seconds of logging on. This year, that time has been shaved to less than 10 seconds.