Re: [FD] Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

[Jens Timmerman]

Hi,


On 03/07/2023 16:59, i...@esec-service.de wrote:

Document Title:
===
Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability


Technical Details & Description:

An insufficient session validation web vulnerability was discovered in 
the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud 
and AAA Feature.
The security vulnerability allows remote attackers to bypass the mfa 
function by hijacking the session data of an active user (non expired 
session) to followup

with further compromising attacks.



I've been working with a lot of products I believe that are vulnerable 
to a very similar exploit, and I was wondering how one should fix 
this/protect against this attack?


I looked at 
https://owasp.org/www-community/attacks/Session_hijacking_attack 
 but 
the page linking to the related controls doesn't seem to exist.


On 
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html 
I can read.


With the goal of detecting (and, in some scenarios, protecting against) 
user misbehaviors and session hijacking, it is highly recommended to 
bind the session ID to other user or client properties, such as the 
client IP address, User-Agent, or client-based digital certificate. If 
the web application detects any change or anomaly between these 
different properties in the middle of an established session, this is a 
very good indicator of session manipulation and hijacking attempts, and 
this simple fact can be used to alert and/or terminate the suspicious 
session.


So binding a session server side to an ip address and browser 
fingerprint can detect if this is ongoing, but a suffisticated attacker 
could still pull this off.


Can someone point me to some information on what the industry best 
practices are to protect against this type of attack?


Regards,

Jens Timmerman

On 03/07/2023 16:59, i...@esec-service.de wrote:

Document Title:
===
Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2324

Vulnerability 
Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability


Security Video: (Cloud)
https://www.youtube.com/watch?v=vObgOpGpCSM

Security Video: (OnPrem)
https://www.youtube.com/watch?v=RFjRgiW2OWE


Release Date:
=
2023-07-03


Vulnerability Laboratory ID (VL-ID):

2324


Common Vulnerability Scoring System:

5


Vulnerability Class:

Insufficient Session Validation


Current Estimated Price:

2.000€ - 3.000€


Product & Service Introduction:
===
Cloud Software Group's NetScaler and NetScaler Gateway, previously 
better known as Citrix ADC and Citrix Gateway (and hereafter referred 
to as Citrix *)
provides secure and reliable access to web applications, enterprise 
applications and corporate data.


"Citrix Gateway consolidates remote access infrastructure to provide 
single sign-on for all apps, whether in a data center, in a cloud, or
if the apps are deployed as SaaS apps. It allows users to access any 
app from any device through a single URL. Citrix Gateway is easy to
deploy and easy to manage. The most typical deployment configuration 
is to place the Citrix Gateway appliance in the DMZ. You can install
multiple Citrix Gateway appliances on the network for more complex 
deployments."


(Copy of the 
Homepage:https://docs.citrix.com/de-de/citrix-gateway.html  )


"Many companies restrict website access to valid users only, and 
control the level of access permitted to each user.
The authentication, authorization, and auditing feature allows a site 
administrator to manage access controls with the NetScaler appliance
instead of managing these controls separately for each application. 
Doing authentication on the appliance also permits sharing this
information across all websites within the same domain that are 
protected by the appliance."


(Copy of the 
Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html 
&https://citrix.cloud.com  &https://cloud.citrix.com)



Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a web 
vulnerability in the official Citrix Gateway (ADC/NetScaler) 13.0 & 
13.1 web-application, Cloud and AAA Feature.



Affected Product(s):
===
Manufacturer:
Citrix/Cloud Software Group

Products:
Citrix ADC/NetScaler 13.0 & 13.1
Citrix Gateway/Netscaler Gateway 13.0 & 13.1
Citrix Cloud Services Website
Possibly also earlier versions


Vulnerability Disclosure Timeline:
==
2023-03-27: Researcher Notification

[FD] WBCE - Stored XSS

[Andrey Stoykov]

# Exploit Title: WBCE - Stored XSS
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 1.6.1
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com


Steps to Exploit:

1. Login to application
2. Browse to following URI "http://host/wbce/admin/pages/intro.php";
3. Paste XSS payload "TEST">"
4. Then browse to settings "Settings->General Settings->Enable Intro
Page->Enabled"
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/