lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b8003e99-4c46-bcb2-e611-414fd6255b42@caret.be>
Date: Sun, 16 Jul 2023 00:29:19 +0200
From: Jens Timmerman <jens@...et.be>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Citrix Gateway & Cloud MFA - Insufficient Session
 Validation Vulnerability

Hi,


On 03/07/2023 16:59, info@...c-service.de wrote:
> Document Title:
> ===============
> Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability
>
>
> Technical Details & Description:
> ================================
> An insufficient session validation web vulnerability was discovered in 
> the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud 
> and AAA Feature.
> The security vulnerability allows remote attackers to bypass the mfa 
> function by hijacking the session data of an active user (non expired 
> session) to followup
> with further compromising attacks.


I've been working with a lot of products I believe that are vulnerable 
to a very similar exploit, and I was wondering how one should fix 
this/protect against this attack?

I looked at 
https://owasp.org/www-community/attacks/Session_hijacking_attack 
<https://owasp.org/www-community/attacks/Session_hijacking_attack> but 
the page linking to the related controls doesn't seem to exist.

On 
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html 
I can read.

With the goal of detecting (and, in some scenarios, protecting against) 
user misbehaviors and session hijacking, it is highly recommended to 
bind the session ID to other user or client properties, such as the 
client IP address, User-Agent, or client-based digital certificate. If 
the web application detects any change or anomaly between these 
different properties in the middle of an established session, this is a 
very good indicator of session manipulation and hijacking attempts, and 
this simple fact can be used to alert and/or terminate the suspicious 
session.

So binding a session server side to an ip address and browser 
fingerprint can detect if this is ongoing, but a suffisticated attacker 
could still pull this off.

Can someone point me to some information on what the industry best 
practices are to protect against this type of attack?

Regards,

Jens Timmerman

On 03/07/2023 16:59, info@...c-service.de wrote:
> Document Title:
> ===============
> Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability
>
>
> References (Source):
> ====================
> https://www.vulnerability-lab.com/get_content.php?id=2324
>
> Vulnerability 
> Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability
>
> Security Video: (Cloud)
> https://www.youtube.com/watch?v=vObgOpGpCSM
>
> Security Video: (OnPrem)
> https://www.youtube.com/watch?v=RFjRgiW2OWE
>
>
> Release Date:
> =============
> 2023-07-03
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 2324
>
>
> Common Vulnerability Scoring System:
> ====================================
> 5
>
>
> Vulnerability Class:
> ====================
> Insufficient Session Validation
>
>
> Current Estimated Price:
> ========================
> 2.000€ - 3.000€
>
>
> Product & Service Introduction:
> ===============================
> Cloud Software Group's NetScaler and NetScaler Gateway, previously 
> better known as Citrix ADC and Citrix Gateway (and hereafter referred 
> to as Citrix *)
> provides secure and reliable access to web applications, enterprise 
> applications and corporate data.
>
> "Citrix Gateway consolidates remote access infrastructure to provide 
> single sign-on for all apps, whether in a data center, in a cloud, or
> if the apps are deployed as SaaS apps. It allows users to access any 
> app from any device through a single URL. Citrix Gateway is easy to
> deploy and easy to manage. The most typical deployment configuration 
> is to place the Citrix Gateway appliance in the DMZ. You can install
> multiple Citrix Gateway appliances on the network for more complex 
> deployments."
>
> (Copy of the 
> Homepage:https://docs.citrix.com/de-de/citrix-gateway.html  )
>
> "Many companies restrict website access to valid users only, and 
> control the level of access permitted to each user.
> The authentication, authorization, and auditing feature allows a site 
> administrator to manage access controls with the NetScaler appliance
> instead of managing these controls separately for each application. 
> Doing authentication on the appliance also permits sharing this
> information across all websites within the same domain that are 
> protected by the appliance."
>
> (Copy of the 
> Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html 
> &https://citrix.cloud.com  &https://cloud.citrix.com)
>
>
> Abstract Advisory Information:
> ==============================
> The vulnerability laboratory core research team discovered a web 
> vulnerability in the official Citrix Gateway (ADC/NetScaler) 13.0 & 
> 13.1 web-application, Cloud and AAA Feature.
>
>
> Affected Product(s):
> ===================
> Manufacturer:
> Citrix/Cloud Software Group
>
> Products:
> Citrix ADC/NetScaler 13.0 & 13.1
> Citrix Gateway/Netscaler Gateway 13.0 & 13.1
> Citrix Cloud Services Website
> Possibly also earlier versions
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2023-03-27: Researcher Notification & Coordination (Security Researcher)
> 2023-04-24: Vendor Notification (Security Department)
> 2023-04-26: Vendor Response/Feedback #1 (Security Department)
> 2023-04-27: Vendor Response/Feedback #2 (Security Department)
> 2023-05-04: Vendor Response/Feedback #2 (Security Department)
> 2023-**-**: Security Acknowledgements (Security Department)
> 2023-**-**: Vendor Fix/Patch by Check (Service Developer Team)
> 2023-07-03: Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Medium
>
>
> Authentication Type:
> ====================
> Restricted Authentication (User Privileges)
>
>
> User Interaction:
> =================
> No User Interaction
>
>
> Disclosure Type:
> ================
> Responsible Disclosure
>
>
> Technical Details & Description:
> ================================
> An insufficient session validation web vulnerability was discovered in 
> the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud 
> and AAA Feature.
> The security vulnerability allows remote attackers to bypass the mfa 
> function by hijacking the session data of an active user (non expired 
> session) to followup
> with further compromising attacks.
>
> The insufficient session validation vulnerability is located in the 
> Citrix Gateway login without web-application firewall (waf) and the 
> Citrix Gateway login with
> web-application firewall (waf). Attackers can access the applications 
> behind the Citrix Gateway without authentication after compromising a 
> client by extract of a
> specific generated access cookie.In the onprem version of Citrix ADC 
> and Citrix Gateway it is only required to hijack the NSC_AAAC cookie 
> for unauthorized access
> through the Citrix Gateway. To gain access to a AAA protected 
> webservices it is required to hijack the NSC_TMAS cookie.
>
> The security issue is not only exploitable in the onprem version of 
> Citrix ADC and Citrix Gateway, but as well in the Citrix Cloud 
> Services Website.
> For Citrix Cloud Services Website its required to hijack as well the 
> regionSessionId, customer and sessionId to exploit the vulnerability.
> Any kind of authentication (Single and Multifactor) does not prevent 
> the exploitation of this vulnerability.
>
> Citrix does recomment that customers should use the web-application 
> firewall to protect the session data but finally the protection
> mechanism does not secure against thus type of insufficient session 
> validation attacks.
>
> Successful exploitation of the vulnerability leads to session 
> hijacking, unauthorized access to applications content and
> compromise of the accessable infrastructure behind, through the Citrix 
> Gateway and AAA.
>
> Vulnerable Function(s):
> [+] NSC_AAAC (Cookie)
> [+] NSC_TMAS (Cookie)
>
> Affected Module(s):
> [+] Citrix Gateway
> [+] AAAC
>
>
> Proof of Concept (PoC):
> =======================
> The insufficent session validation web vulnerability can be exploited 
> by remote attackers without user interaction with remote device access 
> (exp. client compromise).
> For security demonstration or to reproduce the web vulnerability 
> follow the provided information and steps below to continue.
>
>
> Manual steps to reproduce the vulnerability
> 1.  Open the url for the Citrix Gateway
> 2.  Open the browser internal web developer tools
> 3.  Login to the Citrix Gateway and enter the login data
> 4.  Successful login and it can be observed that an additional cookie 
> is written (NSC_AAAC)
> 5.  On a second unknown test computer system the citrix gateway is 
> opened (browser)
> 6.  Open the browser internal web developer tools
> 7.  Creation of a new cookie for the page with the name, value and 
> path of the cookie of the other session
> 8.  Reload of the login page or login to the login screen with random 
> values (Input of content is important to use the logon)
> 9.  Successful login by the second device and take over the active non 
> expired session
> 10. Successful reproduce of the vulnerability!
>
>
> Note: To reproduce the same issue on the Citrix Cloud Services Website 
> you have to add 3 cookies
> - sessionId
> - regionSessionId
> - customer
>
> The video victim shows: Victim
> - Victim accesseshttps://eu.cloud.com  and is redirected 
> tohttps://accounts.cloud.com  for authentication
> - After successful authentication with MFA, he is redirected 
> tohttps://citrix.cloud.com
> - Victim now sees the customers/tenants he has access to. He chooses 
> <censored> EU Demo Cloud 2. The tenant ID (and content of the cookie 
> "customer") is displayed. He is redirected tohttps://eu.cloud.com
> - The victim now sees the services provided for the tenant
> - The cookies necessary for the attacker are visible (sessionID, 
> regionSessionID, customer)
> - The video ends
>
>
> The video attacker shows: Attacker
> - The attacker callshttps://eu.cloud.com  and is redirected 
> tohttps://accounts.cloud.com  for authentication. So he is not yet 
> authenticated and does not have access to the EU Cloud yet
> - The attacker creates the cookies with the pilfered values for the 
> respective domain. (Name: sessionID, Value: JtLzXIU9OeKy_2TkwYyssg, 
> Path: /, Domain: eu.cloud.com), (Name: customer, Value: f0t66hjbpi0o, 
> Path: /, Domain: .cloud.com) The regionSessionID was not used because 
> they are the same for the victim and attacker 
> forhttps://eu.cloud.com). If the initial call was in a different 
> region than the Customer, the value would need to be changed
> - The attacker callshttps://eu.cloud.com  again and is now in the 
> victim's tenant (CCID/customer cookie: f0t66hjbpi0o). The attacker now 
> sees the services provided to the tenant
> - Through the menu, the attacker sees that he would have access to all 
> kind of Citrix Cloud Infrastructure Services (for example Citrix DaaS, 
> Citrix Gateway Service, Citrix Workspace Configuration, Citrix 
> Identity & Access Management, Citrix Endpoint Management, Citrix 
> ShareFile), licensing, support tickets and co
> - The video ends
>
>
> Security Risk:
> ==============
> The security risk of the citrix gateway and cloud services 
> vulnerability in the mfa portal authentication module is estimated as 
> medium.
>
>
> Credits & Authors:
> ==================
> Lars Guenther 
> -https://www.vulnerability-lab.com/show.php?user=L.+Guenther
> Benjamin Mejri (Kunz) 
> -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without 
> any warranty. Vulnerability Lab disclaims all warranties,
> either expressed or implied, including the warranties of 
> merchantability and capability for a particular purpose. 
> Vulnerability-Lab
> or its suppliers are not liable in any case of damage, including 
> direct, indirect, incidental, consequential loss of business profits
> or special damages, even if Vulnerability-Lab or its suppliers have 
> been advised of the possibility of such damages. Some states do
> not allow the exclusion or limitation of liability for consequential 
> or incidental damages so the foregoing limitation may not apply.
> We do not approve or encourage anybody to break any licenses, 
> policies, deface websites, hack into databases or trade with stolen data.
>
> Any modified copy or reproduction, including partially usages, of this 
> file requires authorization from Vulnerability Laboratory.
> Permission to electronically redistribute this alert in its unmodified 
> form is granted. All other rights, including the use of other
> media, are reserved by Vulnerability-Lab Research Team or its 
> suppliers. All pictures, texts, advisories, source code, videos and other
> information on this website is trademark of vulnerability-lab team & 
> the specific authors or managers. To record, list, modify, use or
> edit our material contact (admin@ or research@) to get a ask permission.
>
>                     Copyright © 2023 | Vulnerability Laboratory - 
> [Evolution Security GmbH]™
>
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS:https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ