-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-020 Product: ADC/NetScaler Manufacturer: Citrix Tested Version(s): NS13.0 52.24 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: Low Solution Status: Open Manufacturer Notification: 2020-05-06 Public Disclosure: 2020-10-02 CVE Reference: None assigned Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: NetScaler/Citrix ADC is a multi-protocol reverse proxy appliance, commonly used to externally provide Citrix Remote Desktop Services or SSL VPN. The manufacturer describes the product as follows (see [1]): "Citrix ADC is the most comprehensive application delivery and load balancing solution for monolithic and microservices-based applications. Which means you can deliver a better user experience, on any device—anywhere." Due to missing path normalization/validation, Citrix ADC is vulnerable to path traversal attacks, hence allowing access to internal management resources from the external appliance interface (virtual IP). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Even though this has been one of the primary parts of the recent critical Citrix ADC vulnerability [2], the path provided by the vendor merely prevents this specific vector (and addresses some of the vulnerabilities of the targeted script). In general, request dispatching of the front-end reverse proxy service to the back end, specifically the local web server providing user front-end and management web interfaces, is purely based on prefix matching and does not implement proper mitigations of path traversal attacks. Authenticated users can, for example, access the following resources on the management server through the external interface (virtual IP): - - https://$NETSCALER/vpn/../admin_ui/php/index.php - - https://$NETSCALER/vpn/../nitro/v1/{...} Moreover, a SOAP web service handler (Apache mod_gsoap) can be reached at https://$NETSCALER/vpn/../soap. However, this handler appears to be defunct in the tested version. While none of these services appear to be directly useable/exploitable, they still expose a significant additional attack surface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): While both > curl -k -v --path-as-is https://$NETSCALER/vpn/../admin_ui/php/index.php \ -H "Cookie: NSC_AAAC={...}" and > curl -k -v --path-as-is https://$NETSCALER/vpn/../nitro/v1/config \ -H "Cookie: NSC_AAAC={...}" result in an HTTP 404 error, < HTTP/1.1 404 Not Found < Date: Tue, 05 May 2020 13:01:52 GMT < Server: Apache < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block further investigation shows that these requests are actually reaching the PHP interpreter and application code at: - - /netscaler/ns_gui/admin_ui/php/index.php - - /netscaler/ns_gui/admin_ui/nitro/nitro.php The 404 error merely is caused by each script's internal routing not recognizing the request path > curl -k --path-as-is https://$NETSCALER/vpn/../ -H "Cookie: NSC_AAAC={...}" - -> [...]

Support Blocked!

which is generated by mod_gsoap. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Implement proper path normalization before comparing request paths for routing or properly validate request paths to avoid path traversal attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-05-01: Vulnerability discovered 2020-05-06: Vulnerability reported to manufacturer 2020-06-03: Vendor assessment, considered a low priority defense-in-depth issue 2020-10-02: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website of Citrix ADC https://www.citrix.com/products/citrix-adc/ [2] CVE-2019-19781 https://nvd.nist.gov/vuln/detail/CVE-2019-19781 [3] SySS Security Advisory SYSS-2020-020 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-020.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAl927SUACgkQdo7+K7Pl PdqkFwgAg7LXSWpX4cgfRbXlXbVTTxoj4hjLdWThxCTBzWcx8UbBk8ib8UEyGsEw 03Zy/230qoRS2q9ZP8MYF3jCJ3E/w0kr3blDu40AxOqS80y4BiTNzqlc1n0rIc7Q 2EOLRPUek1tQ56zAyZqwpKlVALXxiyPd3B0F8R+xlN4p7SFUnH0xgWF3bGeXCvKW QndWs4yJYl1wCWsbaX9ORzkNjhG5vxC6DlUBdjGy/03D8+anTOj3y8230RNToQw1 gbe+Rjo8SXYlbDOOx9DLHEX4rD1Twuj1H8t/sraXv1b3lsSlaMBa5D8Q69znRljl McmPAHBwwXytszzLN2DeWqjVKQc1yA== =4qQS -----END PGP SIGNATURE-----