Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

From: "info () esec-service de" <info () esec-service de>
Date: Mon, 3 Jul 2023 16:59:53 +0200
Document Title:
===============
Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2324

Vulnerability 
Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability

Security Video: (Cloud)
https://www.youtube.com/watch?v=vObgOpGpCSM

Security Video: (OnPrem)
https://www.youtube.com/watch?v=RFjRgiW2OWE


Release Date:
=============
2023-07-03


Vulnerability Laboratory ID (VL-ID):
====================================
2324


Common Vulnerability Scoring System:
====================================
5


Vulnerability Class:
====================
Insufficient Session Validation


Current Estimated Price:
========================
2.000€ - 3.000€


Product & Service Introduction:
===============================
Cloud Software Group's NetScaler and NetScaler Gateway, previously better known as Citrix ADC and Citrix Gateway (and 
hereafter referred to as Citrix *)
provides secure and reliable access to web applications, enterprise applications and corporate data.

"Citrix Gateway consolidates remote access infrastructure to provide single sign-on for all apps, whether in a data 
center, in a cloud, or
if the apps are deployed as SaaS apps. It allows users to access any app from any device through a single URL. Citrix 
Gateway is easy to
deploy and easy to manage. The most typical deployment configuration is to place the Citrix Gateway appliance in the 
DMZ. You can install
multiple Citrix Gateway appliances on the network for more complex deployments."

(Copy of the Homepage:https://docs.citrix.com/de-de/citrix-gateway.html  )

"Many companies restrict website access to valid users only, and control the level of access permitted to each user.
The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the 
NetScaler appliance
instead of managing these controls separately for each application. Doing authentication on the appliance also permits 
sharing this
information across all websites within the same domain that are protected by the appliance."

(Copy of the Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html  &https://citrix.cloud.com  
&https://cloud.citrix.com)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a web vulnerability in the official Citrix Gateway 
(ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature.


Affected Product(s):
===================
Manufacturer:   
Citrix/Cloud Software Group

Products:               
Citrix ADC/NetScaler 13.0 & 13.1
Citrix Gateway/Netscaler Gateway 13.0 & 13.1
Citrix Cloud Services Website
Possibly also earlier versions


Vulnerability Disclosure Timeline:
==================================
2023-03-27: Researcher Notification & Coordination (Security Researcher)
2023-04-24: Vendor Notification (Security Department)
2023-04-26: Vendor Response/Feedback #1 (Security Department)
2023-04-27: Vendor Response/Feedback #2 (Security Department)
2023-05-04: Vendor Response/Feedback #2 (Security Department)
2023-**-**: Security Acknowledgements (Security Department)
2023-**-**: Vendor Fix/Patch by Check (Service Developer Team)
2023-07-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (User Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
An insufficient session validation web vulnerability was discovered in the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 
web-application, Cloud and AAA Feature.
The security vulnerability allows remote attackers to bypass the mfa function by hijacking the session data of an 
active user (non expired session) to followup
with further compromising attacks.

The insufficient session validation vulnerability is located in the Citrix Gateway login without web-application 
firewall (waf) and the Citrix Gateway login with
web-application firewall (waf). Attackers can access the applications behind the Citrix Gateway without authentication 
after compromising a client by extract of a
specific generated access cookie.In the onprem version of Citrix ADC and Citrix Gateway it is only required to hijack 
the NSC_AAAC cookie for unauthorized access
through the Citrix Gateway. To gain access to a AAA protected webservices it is required to hijack the NSC_TMAS cookie.

The security issue is not only exploitable in the onprem version of Citrix ADC and Citrix Gateway, but as well in the 
Citrix Cloud Services Website.
For Citrix Cloud Services Website its required to hijack as well the regionSessionId, customer and sessionId to exploit 
the vulnerability.
Any kind of authentication (Single and Multifactor) does not prevent the exploitation of this vulnerability.

Citrix does recomment that customers should use the web-application firewall to protect the session data but finally 
the protection
mechanism does not secure against thus type of insufficient session validation attacks.

Successful exploitation of the vulnerability leads to session hijacking, unauthorized access to applications content and
compromise of the accessable infrastructure behind, through the Citrix Gateway and AAA.

Vulnerable Function(s):
[+] NSC_AAAC (Cookie)
[+] NSC_TMAS (Cookie)

Affected Module(s):
[+] Citrix Gateway
[+] AAAC


Proof of Concept (PoC):
=======================
The insufficent session validation web vulnerability can be exploited by remote attackers without user interaction with 
remote device access (exp. client compromise).
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to 
continue.


Manual steps to reproduce the vulnerability
1.  Open the url for the Citrix Gateway
2.  Open the browser internal web developer tools
3.  Login to the Citrix Gateway and enter the login data
4.  Successful login and it can be observed that an additional cookie is written (NSC_AAAC)
5.  On a second unknown test computer system the citrix gateway is opened (browser)
6.  Open the browser internal web developer tools
7.  Creation of a new cookie for the page with the name, value and path of the cookie of the other session
8.  Reload of the login page or login to the login screen with random values (Input of content is important to use the 
logon)
9.  Successful login by the second device and take over the active non expired session
10. Successful reproduce of the vulnerability!


Note: To reproduce the same issue on the Citrix Cloud Services Website you have to add 3 cookies
- sessionId
- regionSessionId
- customer

The video victim shows: Victim
- Victim accesseshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication
- After successful authentication with MFA, he is redirected tohttps://citrix.cloud.com
- Victim now sees the customers/tenants he has access to. He chooses <censored> EU Demo Cloud 2. The tenant ID (and content of 
the cookie "customer") is displayed. He is redirected tohttps://eu.cloud.com
- The victim now sees the services provided for the tenant
- The cookies necessary for the attacker are visible (sessionID, regionSessionID, customer)
- The video ends


The video attacker shows: Attacker
- The attacker callshttps://eu.cloud.com  and is redirected tohttps://accounts.cloud.com  for authentication. So he is 
not yet authenticated and does not have access to the EU Cloud yet
- The attacker creates the cookies with the pilfered values for the respective domain. (Name: sessionID, Value: 
JtLzXIU9OeKy_2TkwYyssg, Path: /, Domain: eu.cloud.com), (Name: customer, Value: f0t66hjbpi0o, Path: /, Domain: 
.cloud.com) The regionSessionID was not used because they are the same for the victim and attacker 
forhttps://eu.cloud.com). If the initial call was in a different region than the Customer, the value would need to be 
changed
- The attacker callshttps://eu.cloud.com  again and is now in the victim's tenant (CCID/customer cookie: f0t66hjbpi0o). 
The attacker now sees the services provided to the tenant
- Through the menu, the attacker sees that he would have access to all kind of Citrix Cloud Infrastructure Services (for 
example Citrix DaaS, Citrix Gateway Service, Citrix Workspace Configuration, Citrix Identity & Access Management, 
Citrix Endpoint Management, Citrix ShareFile), licensing, support tickets and co
- The video ends


Security Risk:
==============
The security risk of the citrix gateway and cloud services vulnerability in the mfa portal authentication module is 
estimated as medium.


Credits & Authors:
==================
Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther
Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of 
business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. 
Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade 
with stolen data.

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

                                    Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
EVOLUTION SECURITY GMBH
FRIEDRICH-EBERT-STRAßE 10
34117 KASSEL - HESSEN
DEUTSCHLAND (DE)

Attachment: OpenPGP_0xD8F9268858D673A7.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: