Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Corsaire Security Advisory - Citrix Access Gateway session I

from [advisories] Network Security [Permanent Link]
Subject: [VulnWatch] Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue
Date: Mon, 22 Oct 2007 22:31:45 +0100

Note: This is a belated release to the mailing lists (though most of the tracking services picked this up via the Citrix advisory)...


-- Corsaire Security Advisory --

Title: Citrix Access Gateway session ID disclosure issue
Date: 05.09.06
Application: Citrix Advanced Access Control 4.0
            Citrix Advanced Access Control 4.2
            Citrix Access Gateway 4.5 Advanced Edition
            Citrix Access Gateway 4.5 Standard Edition
Environment: Windows
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c060905-001


-- Scope --

The aim of this document is to clearly define an issue that exists with
the Citrix Access Gateway product [1] that will allow an attacker to
gain access to an authenticated users' session ID.


-- History --

Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 19.10.06
Document released: 20.07.07


-- Overview --

Citrix Access Gateways are described [1] as "universal SSL VPN
appliances providing a secure, always-on, single point-of-access to an
organization's applications and data".

Amongst other features, the product provides a web portal to corporate
applications and resources.


-- Analysis --

The web portal interface incorporates a collection of .NET scripts,
which utilise a session ID contained within cookies.  During the
authentication sequence the user session is redirected via a HTTP meta
refresh header in an HTML response.  The browser subsequently uses this
within the next GET request (and the referer header field of the next
HTTP request), placing the session ID in history files, and both client
and server logs.  The use of the session ID within the HTML content is
made worse by the application not setting the HTTP cache control headers
appropriately, which can lead to the HTML content being stored within
the local browser cache.

Where this is a particularly problem, is where the web portal is
accessed from a shared or public access terminal, such as an Internet
Caf,; the very environment that this type of solution is intended for.

If an attacker can gain access to the session ID by any mechanism (such
as by recovering it from the local cache or logs), then they will be
able to access all the resources that are available to the user.

Strong authentication technology, such as SecurID 2FA, does not protect
against this style of attack, as the session ID is generated after the
strong authentication process is completed.


-- Recommendations --

Review the recommendations in the Citrix alert [2]. If possible, upgrade
to a version of the Citrix Access Gateway product that does not exhibit
this issue.

Until the product is upgraded, consider reviewing you remote access
policy to restrict the use of the product in shared-access environments.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0011 to this issue.  This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] http://www.citrix.com/English/ps2/products/product.asp?contentID
   =15005
[2] http://support.citrix.com/article/CTX113814


-- Revision -- 

a. Initial release.
b. Released.


-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2006-2007 Corsaire Limited. All rights reserved.




[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue, advisories <=
Previous by Date:  [Full-disclosure] rPSA-2007-0220-1 ImageMagick, rPath Update Announcements
Next by Date:  [Full-disclosure] rPSA-2007-0222-1 cpio tar, rPath Update Announcements
Previous by Thread:  [Full-disclosure] rPSA-2007-0220-1 ImageMagick, rPath Update Announcements
Next by Thread:  [Full-disclosure] rPSA-2007-0222-1 cpio tar, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]