what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure

Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure
Posted Mar 9, 2020
Authored by Micha Borrmann | Site syss.de

Citrix Gateway versions 11.1, 12.0, and 12.1 suffer from an information disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2020-10110
SHA-256 | aca831367203c586cf693ab95a5e463eeaa4d60eae5b4d5efe517d8da98e9aa8

Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure

Change Mirror Download
Advisory ID:               SYSS-2020-004
Product: Citrix Gateway
Manufacturer: Citrix Systems, Inc.
Affected Version(s): 11.1, 12.0, 12.1
Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18
Vulnerability Type: Information Exposure Through Caching (CWE-512)
Risk Level: Information Disclosure
Solution Status: Open
Manufacturer Notification: 2020-01-31
Solution Date: no solution
Public Disclosure: 2020-03-05
CVE Reference: CVE-2020-10110
Author of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"Citrix Gateway is a customer-managed solution that can be deployed on
premises or on any public cloud, such as AWS, Azure, or Google Cloud
Platform. Citrix Gateway provides users with secure access and single
sign-on to all the virtual, SaaS and web applications they need to be
productive." (see [1])

The solution contains a caching system which shows how long an entry
was in the cache.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Some responses of the web based solution are handled with an included
caching system. This system can be seen in the HTTP response header.
The header also contains information, how long the response was in the
cache. The number of seconds will never exceed the value of 112.
After that period of time, the cache will be refreshed with an
additional client request.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

$ curl --include --url https://$NSGATEWAYHOST/logon/themes/Default/resources/config.xml
HTTP/1.1 200 OK
Age: 21
Date: Fri, 31 Jan 2020 11:53:17 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "12a-59c921b8df640"
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 20 Jan 2020 13:17:05 GMT
Accept-Ranges: bytes
Content-Length: 298
X-Citrix-Application: Receiver for Web
Pragma: no-cache
Keep-Alive: timeout=15, max=95
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<ResourceManager>
<SupportedLanguageList>
<Language>en</Language>
<Language>de</Language>
<Language>es</Language>
<Language>fr</Language>
<Language>ja</Language>
<Language>zh-CN</Language>
</SupportedLanguageList>
</ResourceManager>

The "Via" header indicates that there is a caching system in place. The
"Age" header shows how many seconds the initial request was processed.
A value of 1 indicates that the response is sent from the web server
instead of from the cache.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution to the described security issue.
The Citrix Security Response Team responded on 02/28/2020 with the
following statement: "We have determined that the described cache
behavior does not have a security impact and is not considered a
vulnerability."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-01-22: Detection of the vulnerability
2020-01-31: Vulnerability reported to manufacturer
2020-02-28: Received vendor's response
2020-03-04: CVE number assigned
2020-03-05: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Citrix Gateway product website
https://www.citrix.com/products/citrix-gateway/
[2] SySS Security Advisory SYSS-2020-004
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-004.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close