Secunia Security Advisory - Some vulnerabilities and a security issue have been reported in Citrix Access Gateway, which can be exploited by malicious people to disclose sensitive information, conduct cross-site request forgery attacks, or to compromise a user's system.
61084db4a94ba9b22258504ae7018784f0954db8231ce7b9a701b572dfb6527c
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Citrix Access Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA26143
VERIFY ADVISORY:
http://secunia.com/advisories/26143/
CRITICAL:
Highly critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information, System
access
WHERE:
>From remote
SOFTWARE:
Citrix Access Gateway 4.x
http://secunia.com/product/6168/
DESCRIPTION:
Some vulnerabilities and a security issue have been reported in
Citrix Access Gateway, which can be exploited by malicious people to
disclose sensitive information, conduct cross-site request forgery
attacks, or to compromise a user's system.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a users
active session.
This security issue is reported in Access Gateway Advanced Edition
4.5 and prior.
2) Multiple unspecified errors in client components (Net6Helper.DLL
and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access
Gateway Standard and Advanced Editions can be exploited to execute
arbitrary code in context of the logged-in user.
These vulnerabilities are reported in Access Gateway Standard Edition
4.5.2 and prior and Access Gateway Advanced Editions version 4.5 and
prior with appliance firmware 4.5.2 and prior.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior. Access Gateway
Enterprise Edition is reportedly not affected.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
Access Gateway Standard Edition 4.5:
http://support.citrix.com/article/CTX114028
Access Gateway Advanced Edition 4.5:
http://support.citrix.com/article/CTX112803
The vendor also recommends to remove the following components from
client devices:
VPN ActiveX components:
* Net6Helper.DLL (Friendly name: Net6Launcher Class, version number
up to and including 4.5.2)
EPA Components (ActiveX):
* npCtxCAO.dll (Friendly name: CCAOControl Object, version number up
to 4,5,0,0)
EPA Components (Firefox plugin):
* npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client,
present in two locations)
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Martin ONeal, Corsaire.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------