CVE-2022-26355 — Vulnetix

CVE-2022-26355 PUBLISHED CVSS 4.400000095367432 MEDIUM

Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.

EPSS 0.03% · 8.7th percentile

Risk Scores

CVSS 3.1

4.400000095367432

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.03%

8.7th percentile

Affected Products

Vendor	Product	Versions
citrix	federated_authentication_service	7.17
Citrix	Federated Authentication Service (FAS)	unspecified, 7.17

Exploit Intelligence

https://support.citrix.com/article/CTX341587 (circl)

Timeline

Mar 9, 2022 CVE Published
Mar 10, 2022 EPSS Score
Apr 30, 2022 EPSS Score
Jun 21, 2022 EPSS Score
Aug 12, 2022 EPSS Score
Oct 3, 2022 EPSS Score
Nov 23, 2022 EPSS Score
Jan 13, 2023 EPSS Score
Mar 6, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 26, 2023 EPSS Score
Jun 17, 2023 EPSS Score

References

https://support.citrix.com/article/CTX341587 url
https://support.citrix.com/article/CTX341586 advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-26355 advisory

Open in Interactive Console →