CVE-2022-26355

Name of the Vulnerable Software and Affected Versions Citrix Federated Authentication Service (FAS) versions 7.17 through 10.6

Description The issue arises when Citrix Federated Authentication Service (FAS) is configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) using PowerShell. Instead of storing the key in the TPM, it is incorrectly stored in the Microsoft Software Key Storage Provider (MSKSP). This problem does not occur if the FAS administration console is used for configuration or if the TPM is not selected.

Recommendations For Citrix Federated Authentication Service (FAS) versions 7.17 through 10.6, as a temporary workaround, consider avoiding the use of PowerShell for configuring FAS to store the registration authority certificate's private key in the TPM. Instead, use the FAS administration console for configuration to prevent the private key from being stored in the Microsoft Software Key Storage Provider (MSKSP). At the moment, there is no information about a newer version that contains a fix for this vulnerability.