Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue
Note: This is a belated release to the mailing lists (though most of the
tracking services picked this up via the Citrix advisory)...
-- Corsaire Security Advisory --
Title: Citrix Access Gateway session ID disclosure issue
Date: 05.09.06
Application: Citrix Advanced Access Control 4.0
Citrix Advanced Access Control 4.2
Citrix Access Gateway 4.5 Advanced Edition
Citrix Access Gateway 4.5 Standard Edition
Environment: Windows
Author: Martin O'Neal [martin.oneal@xxxxxxxxxxxx]
Audience: General distribution
Reference: c060905-001
-- Scope --
The aim of this document is to clearly define an issue that exists with
the Citrix Access Gateway product [1] that will allow an attacker to
gain access to an authenticated users' session ID.
-- History --
Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 19.10.06
Document released: 20.07.07
-- Overview --
Citrix Access Gateways are described [1] as "universal SSL VPN
appliances providing a secure, always-on, single point-of-access to an
organization's applications and data".
Amongst other features, the product provides a web portal to corporate
applications and resources.
-- Analysis --
The web portal interface incorporates a collection of .NET scripts,
which utilise a session ID contained within cookies. During the
authentication sequence the user session is redirected via a HTTP meta
refresh header in an HTML response. The browser subsequently uses this
within the next GET request (and the referer header field of the next
HTTP request), placing the session ID in history files, and both client
and server logs. The use of the session ID within the HTML content is
made worse by the application not setting the HTTP cache control headers
appropriately, which can lead to the HTML content being stored within
the local browser cache.
Where this is a particularly problem, is where the web portal is
accessed from a shared or public access terminal, such as an Internet
Caf,; the very environment that this type of solution is intended for.
If an attacker can gain access to the session ID by any mechanism (such
as by recovering it from the local cache or logs), then they will be
able to access all the resources that are available to the user.
Strong authentication technology, such as SecurID 2FA, does not protect
against this style of attack, as the session ID is generated after the
strong authentication process is completed.
-- Recommendations --
Review the recommendations in the Citrix alert [2]. If possible, upgrade
to a version of the Citrix Access Gateway product that does not exhibit
this issue.
Until the product is upgraded, consider reviewing you remote access
policy to restrict the use of the product in shared-access environments.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0011 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.citrix.com/English/ps2/products/product.asp?contentID
=15005
[2] http://support.citrix.com/article/CTX113814
-- Revision --
a. Initial release.
b. Released.
-- Distribution --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2006-2007 Corsaire Limited. All rights reserved.