Citrix License Server Vulnerabilities

Yesterday, Sep 25, Citrix reported multiple Dnieal-of-Service vulnerabilities with License Server for Windows and VPX, so an attacker may be able to enforce a vendor service shutdown:

  • CVE-2018-20031: A Denial of Service vulnerability in FlexNet Publisher version 11.16.1.0 and earlier
  • CVE-2018-20032: A Denial of Service vulnerability in FlexNet Publisher version 11.16.1.0 and earlier
  • CVE-2018-20033: A Remote Code Execution vulnerability in FlexNet Publisher version 11.16.1.0 and earlier
  • CVE-2018-20034: A Denial of Service vulnerability in FlexNet Publisher version 11.16.1.0 and earlier

These vilnerabilities are fixed with Citrix License Server for Windows version 11.16.3 build 28000 and newer. Actually, there’s no fix available for the VPX flavour.

For details please see Citrix KB article CTX261963.

Leave a Reply