Jump to content
Welcome to our new Citrix community!

Citrix can't fix security issues due to California Password Legislation AB 1906?


Recommended Posts

I opened a support case due to the security team flagging the MPX LOM with DropBear vulnerability.

 

After researching for a week the support person said Citrix can't release security fixes due to a law... They are still researching what the most current LOM firmware version as they can't seem to give provide that info but somehow are being held up releasing an updated LOM with a fix for a 2016 vulnerability due to a CA law that took effect in Jan 1 2020.

 

Here is Citrix's workaround from 2016. The blog post concludes with

"As best practice, Dropbear SSH server will be upgraded to the newer version in an upcoming IPMI/LOM version." -Citrix December 2016

 

https://www.citrix.com/blogs/2016/12/22/securely-configuring-ipmilom-on-netscaler/

 

Support reply March 2020:

 

"Yes this is correct, the delay started after the California Password legislation AB 1906 release, which caused an entire code review not only for the DropBear vulnerability but for the entire software.

Engineering provided the workaround for the DropBear vulnerability, so this can be used as a mitigation measure.

Its important to note, that this legislation its not only applicable for Citrix but for all brands that sell devices in order to maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

So, it is not that the fix it's not known, but it cannot be released until the completion of the component review in order to fully comply with the legislation.

This is now with the Product Team and can be followed up via Account Team under internal Ticket: 22168

Regards,
Jose Soto
Citrix Network Escalation Engineer
jose.soto@citrix.com"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...