Sophos' putrid patch snuffs Citrix kit, kills call centre A Sophos Web Appliance update has crashed users' PC fleets including knocking offline the Australian call centre of a global company for two days after support was quietly revoked for SSL 3.0 ciphers used in Citrix Receiver. The British security firm pushed out update version 4.0.2.3 last week to correct four non-critical …
If you use Citrix secure gateway (as many still using XenApp 6.5 do) you're limited to TLS 1.0 at best, disabling SSLv3 can be a pain, as CSG ignores the usual reg keys and can be temremental / require some fettling to get it reliably using TLS 1.0 only.
Given that CSG is effectively a re-badged apache instance, acting as a proxy, it's poor showing for Citrix to avoid supporting TLS 1.1 and 1.2 for existing customers.
Well, consider the following.
Most citrix setup, especially in a call center, aren't internet facing. This means they aren't exposed to the internet. So the kind of encryption used in the connection, if it's going over LAN, is relatively unimportant. So patching for a SSL vulnaribility isn't that much of a security priority.
The vendor did not provide the complete information on the patch. More specifically, on a component of the patch they should have known could cause very big issues.
While I can't condone the corporate policy of always having the oldest software you can get away with, the vendor is really who failed here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
