Citrix Federated Authentication Service (FAS)

CVE-2022-26355

4.4MEDIUM

Key Information

Vendor: Citrix
Status: Federated Authentication Service (fas)
Vendor: CVE Published:; 10 March 2022

Summary

Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.

Affected Version(s)

Federated Authentication Service (FAS) <= 10.6

Federated Authentication Service (FAS) < 7.17

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Mar 10, 2022
Vulnerability Reserved.
Mar 2, 2022

Collectors

NVD DatabaseMitre Database