Denial of Service in Citrix MetaFrame

Reported October 16, 2001, by Internet Security Systems.


  • Citrix MetaFrame XP for Windows 2000

  • Citrix MetaFrame XP SP1 for Windows 2000

  • Citrix MetaFrame 1.8 for Windows NT

  • Citrix MetaFrame 1.8 SP3 for Windows NT


A vulnerability exists in the Citrix MetaFrame server application that lets an attacker crash the server, resulting in a Denial of Service (DoS). An improper handling of multiple sessions on the Citrix server causes this DoS condition. By spoofing the protocol that runs between the MetaFrame client and server, an attacker can start multiple fake sessions with the affected server. These sessions typically pass filename and other information from client to server before the system has set up encrypted channels. The server lets an attacker start a maximum of approximately 52 sessions. After these sessions time out, any new sessions that start can cause the server to crash with a blue screen.



The vendor, Citrix, recommends that users install the appropriate hotfixes that the vendor will make available soon.


Discovered by Justine Bone, Glyn Geoghegan, and Paul Davies of Internet Security Systems.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.