Citrix Access Gateway Redirection Vulnerability

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Access Gateway (Appliance) a.k.a. CAG
# Vendor:    Citrix
# CVE ID:    CVE-2007-4018 (CTX113816)
# Subject:   Redirection Vulnerability
# Severity:  Medium
# Effect:    Remotely exploitable
# Author:    Cyrill Brunschwiler
# Date:      April 15th 2008
#
#############################################################

Introduction:
-------------
Vulnerabilities have been identified in Access Gateway Advanced Edition that
may allow an attacker to redirect a user to an arbitrary web site. It may be
possible for an attacker to exploit this type of behavior to facilitate
phishing attacks.

Affected:
---------
These vulnerabilities affect all versions of Access Gateway Advanced Edition
when deployed with an Access Gateway appliance with firmware version up to
and including 4.5.2. Access Gateway Standard and Access Gateway Enterprise
Editions are not vulnerable to these issues.

- Access Gateway 4.5 Advanced Edition
- Access Gateway 4.5 Standard Edition
- Advanced Access Control 4.2

Description:
------------
Client web browsers will be redirected to the SSL protected web service in
case the remote user requested an unencrypted CAG web page. This behavior
helps to ensure that further data packets will be transmitted over encrypted
(SSL) channels only. However, if an attacker spoofs the virtual domain header
then the client gets redirected to the spoofed domain. This allows various
forms of hijacking and phishing.

host:~ # netcat 123.123.123.123 80
GET / HTTP/1.1
host: www.hacker.org

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Connection: close
Accept-Ranges: none
Location: https://www.hacker.org:443/

CAG is expected to redirect to trusted domains only (to itself or to the
customer’s domains only).

Patches:
--------
This vulnerability has been addressed in the Access Gateway firmware version
4.5.5.  Due to this, it is strongly recommends that customers upgrade their
Access Gateway appliance to firmware version 4.5.5 and upgrade to Access
Gateway Advanced Edition 4.5 HF1. These upgrades can be obtained from the
following locations:

- Access Gateway Appliance firmware 4.5.5:
  http://support.citrix.com/article/CTX114028

- Advanced Access Control HF1:
  http://support.citrix.com/article/CTX112803

Timeline:
---------
Vendor Status:        Patch released
Vendor Notified:    June, 14th 2007
Vendor Response:    June, 27th 2007
Patch Available:    July, 19th 2007
Issue Confirmed:    July, 18th 2008
Advisory Release:    April, 25th 2008

References:
-----------
- CTX113816, Vulnerabilities in CAG Advanced Edition could allow redirection
  to arbitrary web sites, http://support.citrix.com/article/CTX113816

- AusCERT, Citrix Access Gateway and Advanced Access Control multiple
  vulnerabilities, http://www.auscert.org.au/render.html?it=7880
Advertisement

Citrix Access Gateway Advanced Session Hijacking

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Access Gateway Advanced a.k.a. CAG
# Vendor:    Citrix
# CVE ID:    CVE-2007-0011 (CTX113814)
# Subject:   Session Hijacking and Information Disclosure
# Severity:  Medium
# Effect:    Remotely exploitable
# Author:    Cyrill Brunschwiler
# Date:      April 15th 2008
#
#############################################################

Introduction:
-------------
When using Access Gateway Advanced Edition, residual information left in the
client web browser and on the client computer could allow an attacker to gain
unauthorized access to a user’s Citrix session.

Affected:
---------
This vulnerability is present in all versions of Access Gateway Advanced
Edition up to and including version 4.5.

- Access Gateway 4.5 Advanced Edition
- Access Gateway 4.5 Standard Edition
- Advanced Access Control 4.2
- Advanced Access Control Option 4.0

Description:
------------
The login form does not properly restrict the common web browser autocomplete
feature where the web browser stores input field information. Therefore, the
login credentials are stored in the browser cache for future use and might be
revealed to attackers which have access to the victim’s computer. This is
especially critical in Internet café environments.

  ...

Remediation:
------------
Either add the autocomplete=off attribute to the form tag or add the
autocomplete=off attribute to every critical input tag to avoid the
vulnerability.

Patches:
--------
This vulnerability has been addressed in the Access Gateway firmware version
4.5.5.  Due to this, it is strongly recommends that customers upgrade their
Access Gateway appliance to firmware version 4.5.5 and upgrade to Access
Gateway Advanced Edition 4.5 HF1. These upgrades can be obtained from the
following locations:

- Access Gateway Appliance firmware 4.5.5:
  http://support.citrix.com/article/CTX114028

- Advanced Access Control HF1:
  http://support.citrix.com/article/CTX112803

Timeline:
---------
Vendor Status:        Patch released
Vendor Notified:    June, 14th 2007
Vendor Response:    June, 27th 2007
Patch Available:    July, 19th 2007
Issue Confirmed:    July, 18th 2008
Advisory Release:    April, 25th 2008

References:
-----------
CTX113816, Vulnerabilities in CAG Advanced Edition could allow redirection
to arbitrary web sites, Link: http://support.citrix.com/article/CTX113816

OWASP Guide:
http://www.owasp.org/index.php/Authentication#Browser_remembers_passwords