#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Access Gateway (Appliance) a.k.a. CAG
# Vendor: Citrix
# CVE ID: CVE-2007-4018 (CTX113816)
# Subject: Redirection Vulnerability
# Severity: Medium
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler
# Date: April 15th 2008
#
#############################################################
Introduction:
-------------
Vulnerabilities have been identified in Access Gateway Advanced Edition that
may allow an attacker to redirect a user to an arbitrary web site. It may be
possible for an attacker to exploit this type of behavior to facilitate
phishing attacks.
Affected:
---------
These vulnerabilities affect all versions of Access Gateway Advanced Edition
when deployed with an Access Gateway appliance with firmware version up to
and including 4.5.2. Access Gateway Standard and Access Gateway Enterprise
Editions are not vulnerable to these issues.
- Access Gateway 4.5 Advanced Edition
- Access Gateway 4.5 Standard Edition
- Advanced Access Control 4.2
Description:
------------
Client web browsers will be redirected to the SSL protected web service in
case the remote user requested an unencrypted CAG web page. This behavior
helps to ensure that further data packets will be transmitted over encrypted
(SSL) channels only. However, if an attacker spoofs the virtual domain header
then the client gets redirected to the spoofed domain. This allows various
forms of hijacking and phishing.
host:~ # netcat 123.123.123.123 80
GET / HTTP/1.1
host: www.hacker.org
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Connection: close
Accept-Ranges: none
Location: https://www.hacker.org:443/
CAG is expected to redirect to trusted domains only (to itself or to the
customers domains only).
Patches:
--------
This vulnerability has been addressed in the Access Gateway firmware version
4.5.5. Due to this, it is strongly recommends that customers upgrade their
Access Gateway appliance to firmware version 4.5.5 and upgrade to Access
Gateway Advanced Edition 4.5 HF1. These upgrades can be obtained from the
following locations:
- Access Gateway Appliance firmware 4.5.5:
http://support.citrix.com/article/CTX114028
- Advanced Access Control HF1:
http://support.citrix.com/article/CTX112803
Timeline:
---------
Vendor Status: Patch released
Vendor Notified: June, 14th 2007
Vendor Response: June, 27th 2007
Patch Available: July, 19th 2007
Issue Confirmed: July, 18th 2008
Advisory Release: April, 25th 2008
References:
-----------
- CTX113816, Vulnerabilities in CAG Advanced Edition could allow redirection
to arbitrary web sites, http://support.citrix.com/article/CTX113816
- AusCERT, Citrix Access Gateway and Advanced Access Control multiple
vulnerabilities, http://www.auscert.org.au/render.html?it=7880