CVE-2004-1902

Vulnerability

Citrix MetaFrame Password Manager 2.0, when a central credential store is not configured, fails to encrypt passwords entered immediately after executing the First Time User Wizard. The credentials are stored in the local store in plaintext instead of being encrypted with 3DES as expected. This affects installations on Windows 2000 and Windows XP where the administrator has not pointed the agent to a central store [1].

Exploitation

An attacker with local access to the system can read the unencrypted credentials from the local credential store. The store is protected by Windows file ACLs that restrict access to the user or Administrator, so the attacker must already have user-level or administrative rights on the machine. No network access or user interaction beyond the initial configuration is required [1].

Impact

Successful exploitation leads to disclosure of the passwords entered into the Password Manager, which may include credentials for applications, systems, and web sites. This compromises the confidentiality of the user's secondary logon credentials, potentially allowing the attacker to authenticate to other resources [1].

Mitigation

The vulnerability is mitigated by ensuring a central credential store is configured, which causes encryption to be applied. Citrix released a vendor advisory (link not directly provided in the reference) [1]. Administrators should either configure a central store or apply any available update from Citrix. No workaround is available other than proper configuration [1].