| 4.12 |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 5, 7] |
Approved w/Constraints
[3, 4, 7, 8] |
Approved w/Constraints
[3, 4, 7, 8] |
Approved w/Constraints
[3, 4, 7, 8] |
Unapproved |
| | | | [1] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of Citrix Windows Desktop Lock. It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:
- A security vulnerability was identified for version 4.5 (CVE 2016-9111) of Citrix Windows Desktop Lock. The vulnerability concerned access control mechanisms that may allow an attacker to bypass the authentication requirement by leveraging physical access to the Virtual Desktop Infrastructure (VDI). This condition could not be replicated or confirmed by the vendor. Further, the identifier could not be reached for additional investigation of the condition as of December 8, 2016. SETL will need to conduct its own independent testing to assure that the condition does not exist in version 4.6 or cannot be replicated.
- Ensure that FIPS encryption is properly configured so that sensitive data stored with Citrix Receiver for Windows Desktop Lock is encrypted with a FIPS 140-2 validated cryptographic module. VA Handbook 6500, SC-28 ` Protection of Information at Rest ` requires VA sensitive information to be encrypted using FIPS 140-2 validated encryption.
| | | [2] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [3] | Due to National Institute of Standards and Technology (NIST) identified security vulnerabilities, extra vigilance should be applied to ensure the versions remain properly patched to mitigate known and future vulnerabilities. The local ISO can provide assistance in reviewing the NIST vulnerabilities. | | | [4] | Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not authorized and the user should take the proper steps to decline those installations. | | | [5] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. | | | [6] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of Citrix Windows Desktop Lock. It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:
- A security vulnerability was identified for version 4.5 (CVE 2016-9111) of Citrix Windows Desktop Lock. The vulnerability concerned access control mechanisms that may allow an attacker to bypass the authentication requirement by leveraging physical access to the Virtual Desktop Infrastructure (VDI). This condition could not be replicated or confirmed by the vendor. Further, the identifier could not be reached for additional investigation of the condition as of December 8, 2016. SETL will need to conduct its own independent testing to assure that the condition does not exist in version 4.6 or cannot be replicated.
- Ensure that FIPS encryption is properly configured so that sensitive data stored with Citrix Receiver for Windows Desktop Lock is encrypted with a FIPS 140-2 validated cryptographic module. VA Handbook 6500, SC-28 ` Protection of Information at Rest ` requires VA sensitive information to be encrypted using FIPS 140-2 validated encryption.
| | | [7] | Security Engineering (SE) conducted a pre-assessment and security requirements verification of Citrix Windows Desktop Lock. It is advised that if this product is used within the Department of Veterans Affairs (VA) that the following constraints be applied:- A security vulnerability was identified for version 4.5 (CVE 2016-9111) of Citrix Windows Desktop Lock. The vulnerability concerned access control mechanisms that may allow an attacker to bypass the authentication requirement by leveraging physical access to the Virtual Desktop Infrastructure (VDI). This condition could not be replicated or confirmed by the vendor. Further, the identifier could not be reached for additional investigation of the condition as of December 8, 2016. SETL will need to conduct its own independent testing to assure that the condition does not exist in version 4.6 or cannot be replicated.
- Ensure that FIPS encryption is properly configured so that sensitive data stored with Citrix Receiver for Windows Desktop Lock is encrypted with a FIPS 140-2 validated cryptographic module. VA Handbook 6500, SC-28 ` Protection of Information at Rest ` requires VA sensitive information to be encrypted using FIPS 140-2 validated encryption.
| | | [8] | Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISO (Information Security Officer) to ensure compliance with VA Handbook 6500. |
|
