Skip to content

Migrating a Citrix XenDesktop Environment to a New VMware vCenter Instance

Introduction

Recently we ran into a situation where a customer had requested an upgrade to their existing VMware vCenter from version 5.1 to 5.5. Upon reviewing the existing vCenter server, we noticed both VMware SSO and SRM were being used on the same server. Based on VMware best practices, we recommended separating vCenter, SSO and SRM to three distinct servers. The migration of the services to the three new servers worked without any issue. However, the existing Citrix XenDesktop environment was pointing to the old vCenter instance. Unfortunately Citrix doesn’t make it easy to simply point to the new vCenter instance.

Solution

The Citrix XenDesktop 5.6 environment was using Machine Creation Service (MCS) along with Personal vDisk (PVD) features. Both features integrate heavily into the virtual infrastructure, in this case VMware vCenter. To resolve this issue, Gotham created new virtual desktops based on the new vCenter instance. We then followed http://support.citrix.com/proddocs/topic/xendesktop-7/cds-manage-personal-vdisks.html to back up and restore the PVD’s to the new virtual desktop. The PVD migration could only take place when the user was logged off, as the PVD was locked. Following the backup and restore of the PVD, we simply disabled access to the old virtual desktop and enabled access to the new virtual desktop.

Summary

Overall this was a tedious process even given a small XenDesktop implementation. If this was a much larger deployment of XenDesktop with PVD this would have been a major issue.

Gotham Security Daily Threat Alerts

October 17, Threatpost – (International) SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition. Source

October 17, IDG News Service – (International) New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner. Source

October 16, Softpedia – (International) XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers. Source

October 16, The Register – (International) Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information. Source

October 16, IDG News Service – (International) All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers. Source

 

Gotham Security Daily Threat Alerts

October 16, Securityweek – (International) Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack. Source

October 16, Help Net Security – (International) New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers. Source

October 15, The Register – (International) FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access trojan, and the Hikiti malware used to control compromised systems. Source

October 15, Threatpost – (International) Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible. Source

October 16, Softpedia – (International) Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices. Source

October 15, Softpedia – (International) Cyberswim announces data breach lasting for more than three months. Cyberswim Inc., notified customers who made purchases on its Web site between May 12 and August 28 that their personal information, including payment card data, may have been compromised after officials confirmed that malicious software was installed on the company’s network, granting attackers access to the data. Cyberswim updated its Web site code and issued a password reset command to block the intruders’ access to the network. Source

Gotham Security Daily Threat Alerts

October 14, Help Net Security – (International) Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012. Source: http://www.net-security.org/secworld.php?id=17491

October 14, Softpedia – (International) Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox. Source: http://news.softpedia.com/news/Dropbox-Denies-Being-Hacked-Points-At-Third-Party-Services-461989.shtml

October 13, Network World – (International) The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach. Source: http://www.networkworld.com/article/2825359/microsoft-subnet/the-snappening-snapsaved-admits-to-hack-that-leaked-snapchat-photos.html

October 10, Securityweek – (International) Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version 11.3.0.355, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues. Source: http://www.securityweek.com/multiple-vulnerabilities-found-bmc-track-it-help-desk-software

October 10, SC Magazine – (International) New mobile trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched. Source: http://www.scmagazine.com/new-mobile-trojan-masquerading-as-tic-tac-toe-game-targets-android-devices/article/376722/

October 10, SC Magazine – (International) HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old trojan that may have been included in the software. Source: http://www.scmagazine.com/hp-to-remove-digital-signature-that-code-signed-malware/article/376737/

Gotham Security Daily Threat Alerts

October 10, Securityweek – (International) New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component. Source

October 9, Threatpost – (International) Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl. Source

October 14, Information Week Dark Reading – (International) Russian Cyberspies Hit Ukrainian, US Targets With Windows Zero-Day Attack. Researchers at iSIGHT Partners, who have been tracking the so-called Sandworm cyber espionage team out of Russia and four other such teams there for some time, discovered the group using a previously unknown security weakness in Windows. Today, as part of its monthly patch cycle, Microsoft will issue a patch for the CVE-2014-4114 bug, which is found in Windows Vista; Windows versions 7, 8, and 8.1; and Windows Server 2008 and 2012. The Sandworm gang is using the zero-day for the initial attack, which then drops a variant of the notorious BlackEnergy Trojan traditionally used by the pervasive Russian cybercrime underground. Source

Gotham Security Daily Threat Alerts

October 9, Help Net Security – (International) Aggressive Selfmite SMS worm variant goes global. Researchers with AdaptiveMobile identified a new variant of the Selfmite SMS worm for Android that spreads via malicious links in SMS messages that lead to a trojanized Google Plus app. The worm uses compromised devices to send the malicious SMS messages to every contact on the device several times and redirect users to unsolicited subscription Web sites. Source: http://www.net-security.org/malware_news.php?id=2881

October 9, Securityweek – (International) Multiple vulnerabilities found in SAP enterprise software. Researchers at Onapsis published seven advisories for flaws in SAP HANA, SAP BusinessObjects, and SAP NetWeaver Business Warehouse enterprise software, including a remotely exploitable command injection vulnerability in HANA that could allow an unauthenticated attacker to completely compromise the SAP system and the information it handles and stores. Source: http://www.securityweek.com/multiple-vulnerabilities-found-sap-enterprise-software

October 8, Securityweek – (International) Several Siemens industrial products affected by ShellShock bug. Siemens released an advisory warning that variants of the Shellshock vulnerability can be leveraged by attackers against several of its products including some versions of Rugged Operating System on Linux (ROX) 1 and ROX 2 and APE Linux versions. The company is working on developing patches for the affected products. Source: http://www.securityweek.com/several-siemens-industrial-products-affected-shellshock-bug

October 8, Softpedia – (International) There is anti-BadUSB protection, but it’s a bit sticky. The researchers who revealed the details for infecting USB devices via the BadUSB vulnerability released a patch and instructions for preventing the reprogramming of USB devices by disabling the “boot mode” state of the device. The researchers stated that a patched device could be tampered with to reset it and remove the patch, and suggested physically securing the device with glue or similar substances to prevent undetected access. Source: http://news.softpedia.com/news/There-Is-Anti-BadUSB-Protection-but-It-s-a-Bit-Sticky-461485.shtml

Gotham Security Daily Threat Alerts

October 8, Securityweek – (International) Google fixes 159 security bugs with release of Chrome 38. Google released the latest version of its Chrome browser for Windows, Linux, Mac, and iOS, closing 159 security vulnerabilities. Source

October 8, The Register – (International) Adobe spies on reading habits over unencrypted web because your ‘privacy is important.’ Adobe confirmed October 8 that its Digital Editions software collects information on users’ ebooks and sends it to Adobe servers as part of digital rights management (DRM) practices after a researcher reported finding the traffic being sent from Digital Editions. The company also confirmed that the information was sent in an unencrypted format and would be corrected, and stated that it was investigating the researcher’s claims that the program collected additional information on ebooks files stored on users’ systems. Source

October 8, Securityweek – (International) SSDP reflection attacks spike in Q3: Arbor Networks. Arbor Networks released its report on distributed denial of service (DDoS) attacks during the third quarter (Q3) of 2014 and found that Simple Service Discovery Protocol (SSDP) reflection attacks grew significantly during Q3, with almost 30,000 such attacks during the quarter, among other findings. Source

October 7, Securityweek – (International) Siemens swats security bugs affecting PCS 7. Siemens released an update for its PCS 7 supervisory control and data acquisition (SCADA) product that addresses five issues with the WinCC product, including a hard coded encryption key and another issue that could lead to privilege escalation. Source

October 7, IDG News Service – (International) Belkin says router outages should be resolved. Belkin stated October 7 that it fixed an issue in some older wireless routers that caused the routers to experience problems around midnight October 7 when pinging a Belkin-hosted service in order to check network connectivity. Belkin advised users still experiencing issues to restart their routers. Source

October 7, Softpedia – (International) Tyupkin is new ATM malware that allows cash extraction without card. Researchers with Kaspersky Lab identified and analyzed a new piece of ATM malware known as Tyupkin that is installed on ATMs through a bootable CD and can allow attackers to withdraw currency without a card. The malware includes several security features to prevent access and analysis and was mostly found in Eastern Europe as well as some cases in the U.S., Asia, and Western Europe. Source

%d bloggers like this: