Highly critical “Ghost” allowing code execution affects most Linux systems – #Vulnerability, #Security, #Linux
And here it continues, another critical vulnerability that affects most Linux systems. Ensure that your system is updated and rebooted!!
More information about Citrix affected systems can be found here:
Citrix Security Advisory for glibc GHOST Vulnerability (CVE-2015-0235)
Here is a great article on the vulnerability itself from arstechnica.com:
An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.
The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed “Ghost” by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What’s more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.
The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.
“A lot of collateral damage on the Internet”
The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals. Read more…
Citrix have released a couple of good blog posts on the new version of XenMobile 10:
Ten Benefits XenMobile 10 Offers To Channel Partners
XenMobile 10 marks the simplification milestone in our Enterprise Mobility Management journey. Today, at Summit Las Vegas we are happy to announce the release of XenMobile 10. XenMobile brings great benefits for both end users and IT administrators.
And here are ten benefits I can think of, from the top of my head that XenMobile 10 brings to our Citrix channel partners:
- Better for Business:
With the 20+ enterprise workflow efficiencies and design improvements that enable business users’ productivity on smartphones and tablets, XenMobile is focused on empowering mobile users. With Citrix’s dedicated focus on user experience, the Worx apps and the Worx Gallery apps are designed to enable enterprise user workflows.
- Enterprise-grade Product: XenMobile architecture is built for complex and sophisticated network topologies that exist in a typical large enterprise with its offices and users across the world.
- Consolidated Architecture: XenMobile 10 integrates the mobile device and application management consoles along with some NetScaler Gateway controls, into one product. This consolidated architecture in this release makes it easy to use and deploy thereby ensuring our channel partners remain successful in their service engagements.
- Intuitive Dashboard:XenMobile 10 brings a fresh look with the redesign of the administrative dashboard. Channel partners can now manage and deploy XenMobile with a complete understanding of the deployments.
- Faster Deployment: With the consolidated architecture for mobile device and application management along with the additional controls for NetScaler Gateway, the deployment time with XenMobile 10 is reduced by 75%!
- Mobile User Workflows: True Mobility is about enabling the user not with a bunch of applications, but with the applications that let the user get their job done without exhaustingly navigating through multiple apps. XenMobile has always focused on enabling user workflows; XenMobile 10 now delivers additional enhancements to allow the end users remain productive without having to be tethered a specific device or a location.
- Automation: We recently announced the automation of APNS Certificate Signing process with which partners can now renew the APNS certificates for their customers. The concept of automation is now extended to ISV partners’ self-verification of their wrapped applications and a self-service portal for end users that allows them to location, track and wipe their lost/stolen device themselves.
- Faster Migration: With the migration tools that will be released for XenMobile 10, channel partners can easily migrate the existing XenMobile customers.
- Security and best-in-class User Experience: Traditionally, security and user experience of products never coexisted. However, XenMobile is proud to bear an exception for this norm by delivering an end user experience that is Better For Business without compromising security. XenMobile offers end-to-end FIPS compliant solution for mobility.
- Specialization Benefits:…
This is a really good blog post by Christopher Fife, it touches on a couple of scenarios and explains the solution to how best you would accommodate the solution to them. Good work Christopher! :-)
The Citrix Connector 7.5 for System Center 2012 Configuration Manager, also known simply as the Citrix Connector, integrates XenApp and XenDesktop 7 with Configuration Manager 2012 (CM). The Connector streamlines use of Configuration Manager deployment technology to automate Citrix server and desktop image management. The Connector leverages the new Application/Deployment Type (App/DT) feature of Configuration Manager 2012 to orchestrate deployment to the right images at the right time. Administrators can optionally use the App/DT model to deliver the actual application publications.
Many of our customers are still early in migrating to the App/DT model. They are still leveraging their extensive library of Packages and Programs developed with great care over many years. These Citrix customers want to know how to use all the goodness of the Connector with these Packages and Programs. So, if you are interested in using the Citrix Connector to deploy Packages and Programs to your Citrix servers and desktop, this post is for you.
In many cases deploying Packages and Programs with the Citrix Connector is a straight forward process familiar to any CM administrator. However there are two scenarios in which specific actions are required to avoid unintended consequences when deploying Packages and Programs with the Citrix Connector.
Scenario 1 – Deploying to Image Managed (MCS or PVS) Citrix hosts
The first scenario that requires special consideration is deploying Packages and Programs to VMs created with Citrix XenDesktop Machine Creation Services (MCS) or Citrix Provisioning Services (PVS). As an administrator, you want to deploy software on the master image of a Machine Catalog and rely on XenDesktop/XenApp to clone worker VMs. Deploying directly to VM clones wastes compute, storage, and network resources because each clone will discard the changes on reboot.
Thus, the Citrix Connector is optimized to only install applications on the master image of a Machine Catalog while entirely skipping application installation on the clones of the master image. The key enabler that allows us to selectively install applications is a CM client policy that puts a 3rd party agent like the Citrix Connector in charge of when to install application or updates.
Here’s the problem. CM client policy does not stop the installation of Packages and Programs or Task Sequences; it only applies to the App/DT model and Windows Updates. This means that the Citrix Connector cannot prevent the installation of Packages and Programs on MCS or PVS clones, leading to unnecessary resource utilization.
Create a device collection that contains just the update device and deploy Packages and Programs to this device collection instead of the device collection created by the Citrix Connector.
Scenario 2 – App Publishing from the CM Console
The second scenario comes into play when using the CM Console to publish the Package/Program as a XenApp-hosted application. The Citrix Connector uses CM application detection logic to ensure that the application is installed before publishing it to Citrix Receiver. This is to prevent an icon from appearing in Receiver before all the servers in a Delivery Group have the application installed.
Unfortunately Package/Program deployments do not have reliable, ongoing application detection logic. Consequently, this orchestration feature of the Citrix Connector cannot be supported when using the Citrix Application Publishing Wizard to publish apps from the Configuration Manager Console.
Use Citrix Studio to publish the application instead of the Citrix Application Publishing Wizard in the CM Console.
If you are using CM Application Catalog and want the Citrix hosted version of the installed program to appear there, you will need to create a new application with a Script deployment type and a Citrix deployment type. The Script DT supplies the application detection logic by looking for the application’s executable, while the Citrix DT creates the application publication in XenDesktop.
The remainder of this post is divided into two sections and will give specific examples of how to implement the solutions discussed above. The first focuses on image management and precisely targeting the program deployment at the update device for a Citrix device collection. The second section focuses on publishing the program installed by CM as a Citrix hosted app.
Solution for Image Management and Resource Utilization
As previously mentioned, the Citrix Connector cannot prevent the installation of Packages and Programs on pooled Citrix session hosts created with Machine Creation Service (MCS) or Provisioning Service (PVS). To prevent this potential inefficiency, a new device collection must be created that only contains the update device. There are 4 steps to accomplish this:
- create the new device collection,
- deploy the program to the new device collection,
- monitor for deployment success on the update device, and
- update the pooled Citrix session hosts with the updated image.
These steps are detailed below.
For background information about master image management with the Citrix Connector and the role of the update device, watch the Master Image Management video http://www.citrix.com/tv/#videos/11534 on CitrixTV.
Before you start, use the machine catalog properties to make sure there is a designated update device, the Update Method property value is “update device”, and the Update Device property value contain a machine name. This is a very important step. If an update device is not defined for a Citrix image managed device collection, the steps outlined below will result in a new device collection with zero members.
Step 1: Use the Configuration Manager Console to create a device collection
- In the Assets and Compliance section of the Configuration Manager Console, click the “Create device collection” action on toolbar ribbon.
- On the General Page of the Create Device Collection Wizard,
Have a look at the new version of the Microsoft Azure Cost Estimator Tool, here is a good summary by Courtenay Bernier. It currently only supports US pricing but would give you a good estimate at least and hopefully it’s updated with all other country pricing as well soon!
Back in August of 2014 Microsoft released version 1.0 of the Azure (IaaS) Cost Estimator Tool (view my previous post here). Today I’m happy to announce the release of version 1.2!
The following new features have been updated/added:
- Support for all regions (apart from US) along with associated currencies.
- Support for D-Series virtual machines.
- Export data with new regions and currency symbols.
- Updated instance prices for all regions and currencies.
- Total monthly costs are now calculated over 31 days that’s 744 hours and is aligned with the costs displayed in the Azure portal. (In version 1.0 costs were calculated over 30 days).
Estimated runtime of 31 days
D-Series VMs Added Read more…
Another great blog series from Thomas W Shinder – MSFT and contributors!
The Cloud Platform Integration Framework (CPIF) provides workload integration guidance for onboarding applications into a Microsoft Cloud Solution. CPIF describes how organizations, Microsoft Partners and Solution Integrators should design and deploy Cloud-targeted workloads utilizing the hybrid cloud platform and management capabilities of Azure, System Center and Windows Server
Table of Contents
Joel Yoker – Microsoft
David Ziembicki – Microsoft
Tom Shinder – Microsoft
Cloud Platform Integration Framework Overview and Patterns:
The Cloud Platform Integration Framework (CPIF) provides workload integration guidance for onboarding applications into a Microsoft Cloud Solution. CPIF describes how organizations, Microsoft Partners and Solution Integrators should design and deploy Cloud-targeted workloads utilizing the hybrid cloud platform and management capabilities of Azure, System Center and Windows Server. The CPIF domains have been decomposed into the following functions:
Figure 1: Cloud Platform Integration Framework
By integrating these functions directly into workloads….
Continue reading here!
This series of blog posts by Thomas W Shinder – MSFT and contributors is really great and do cover the best practises and principles behind building Microsoft based private or hybrid IaaS services. Have a look at their great work!
The goal of the Infrastructure-as-a-Service (IaaS) Foundations series is to help enterprise IT departments and cloud service providers understand, develop, and implement IaaS infrastructures. This series provides comprehensive conceptual background that combines Microsoft software, consolidated guidance, and validated configurations with partner technologies such as compute, network, and storage architectures, in addition to value-added software features.
The IaaS Foundations Series utilizes the core capabilities of the Windows Server 2012 R2 operating system, Hyper-V, System Center 2012 R2, Windows Azure Pack and Microsoft Azure to deliver on-premises and hybrid cloud Infrastructure as a Service.
Table of Contents
Chapter 1: Microsoft Infrastructure as a Service Foundations (this article)
Microsoft Infrastructure as a Service Foundations is written and presented in a way that enables architects, designers, implementers and operators to view the content that is most relevant to them. Some readers will choose the read the entire “book”, while others will focus on areas that are most interesting and relevant to them.
At this time, the Microsoft IaaS Foundations “book” is available in web format only. In the coming days, individual files (one for each chapter) and a single file that represents a compilation of all the chapters, will be made available for download. A link to these files will be included in this article, and in each of the articles included in this “book”.
The world of cloud computing moves quickly and the underlying technologies supporting the infrastructure that powers the cloud change and improve just as fast. For this reason, each of the chapters includes a published date and the versions of the software that are discussed in the text. For non-versioned software and services (such as Microsoft Azure), a note of “feature set and capabilities as of…” date is included.
Your feedback is crucial
A lot of time, energy and expense goes…
Continue reading here!
I really feel for you Solution Architects out there that have to struggle with how to revamp your companies or customers Hosted Desktop/App services. They may be provided by a service provider today, or you do it yourself on-premise and manage them, or you’ve already taken the step to purchase it as a true DaaS/SaaS service from a public cloud provider. Today the options are many, and too many if you add all the hosting models and the technology options you have. From a business perspective you’re getting the heat to deliver something with the word “cloud” in it just because it’s hot, and management then expect that TCO is sooooo low and that you have now problems in delivering at all within a couple of weeks and you can scale up and down without any issues at all from a financial or technical perspective… ;-)
Often you also don’t even have the business, security, functional or technical requirements either so you’re supposed to come with the magic solution that fits all needs! ;-)
My personal view is also that some of our vendors/partners out there don’t seem to have one (1) clear strategy either (at least not officially).
Some are building and providing their own “cloud architecture” models for DaaS for partners to build on (VMware, Citrix, Microsoft etc.), and then they also are providing specific models for certain partners as well that run on top of other cloud solutions, like Citrix Service Provider (CSP) offerings on Azure or on-premise. As a partner to these companies you also are in a tough spot, are you to partner with them and deliver their technology on your infrastructure, or shall you wait until they deliver a fully working public cloud offering (like WorkSpace Services) and then add your added value on top of that? Options are many and I don’t think that Citrix has given their whole story yet, I still think that they business wise need to go where Microsoft is going by providing a DaaS service by themselves directly to customers and thereby also “cut” the partner network out because once the technology and self-service becomes to easy then what shall they add as value then? There will always be customers that wants help to onboard, operate etc. of course but this will be another type of service and many Citrix and Microsoft partners need to be become more solution focused and get away from the SME space and deliver integration and more IT management consulting skill sets instead.
But let’s get back to more technology…
I’ve been kind of waiting to get some time over to test the RemoteApp service in Azure. I personally think that this is the future and they way that many small to medium size business fairly short shall start to look at. Not all of these companies have the skill set or financials to look at building a good Software-as-a-Service (SaaS) offerings of Windows applications internally. I’m a bit annoyed though that out of the box there isn’t any Desktop-as-a-Service (DaaS) offering and that it’s still just the RDS/Hosted Shared Desktop model that is provided. A real Hosted Virtual Desktop or VDI offering would be nice and a license model that goes with it from Microsoft.
There are today so many different options that companies that want to provide or consume a DaaS service can leverage today, Citrix Service Providers have all of their options in terms of technology stacks (CloudStack, CloudPlatform, CSP for Azure, App Orchestration 2.5, Microsoft System Center, Azure Pack and all options that are out there)… but which one shall/can you select? And what if you’re NOT a Citrix service provider and have a huge datacenter and haven’t already done your CAPEX investments around compute, network and storage etc..? Where do you then turn?
I think that here is where RemoteApp and a future Workplace Services offerings with Citrix on top would be great! You as a customer can turn to a partner/consultant company to get guidance and assess all your requirements and then easily be provisioned an environment that is of the “standard cloud offering” or get a customised one tailored specifically for your needs.
Like in my little demo scenario here I provisioned a fully functional RemoteApp environment that hosted all of the Microsoft Office 2013 apps that I use and also got a lot of storage at the same time… in almost no time at all!
Azure RemoteApp helps employees stay productive anywhere, and on a variety of devices – Windows, Mac OS X, iOS, or Android. Your company’s applications run on Windows Server in the Azure cloud, where they’re easier to scale and update. Users can access their applications remotely from their Internet-connected laptop, tablet, or phone. While appearing to run on the users’ local device, the applications are centralized on Azure’s protected, reliable platform.
Azure RemoteApp combines Windows application experiences with the powerful capabilities of Remote Desktop Services on Microsoft Azure – the cloud for modern business.
I also like the licensing model:
- Azure RemoteApp is priced per user and is billed on a monthly basis.
- The service is offered in two tiers: Basic and Standard. Basic is designed for lighter weight applications (e.g. for task workers). Standard is designed for information workers to run productivity applications.
- Pricing: Each service has a starting price per user that includes 40 hours of service per user. Thereafter, a per hour charge is applied for each user hour up to a capped price per user. You will not pay for any additional usage beyond the capped price in a given month.
RDS on Azure example quote:
More Azure solution pricing examples: http://blogs.technet.com/b/uspartner_ts2team/archive/2014/10/14/more-azure-solution-pricing-examples.aspx
What if you then also shall put Citrix on top of that… cost increases of course and still you’re kind of limited of being a SPLA or CSP in order to build this, or you go and ask a SPLA/CSP to provide it for you if you’re an end-customer.
But back *again* to the test-drive that I did of RemoteApp…