CVE-2009-2631 – Vulnerability in Clientless SSL VPN Products Could Result in Policy Bypass

Description of Problem

A vulnerability has been disclosed by CERT that affects SSL VPN products, including the Clientless VPN features of Citrix Access Gateway Advanced and Enterprise Edition. This could, if exploited, allow an attacker to bypass browser Same Origin Policy restrictions.

This vulnerability has been assigned the following CVE number:

    • CVE-2009-2631: Same-origin policy bypass vulnerabilities in several VPN products reported.

Additional information can be found in the US-CERT advisory at:

    • http://www.kb.cert.org/vuls/id/261869

This vulnerability affects the following products:

    • Citrix Access Gateway Enterprise Edition v8.1 and later

    • Citrix Access Gateway Advanced Edition, all supported versions

Customers using only the Access Gateway Enterprise Edition Plug-ins for Windows and Mac OS X are not affected by this vulnerability.

The Access Gateway Standard Edition does not include CVPN functionality, and is not affected by this vulnerability.

What Customers Should Do

Access Gateway Enterprise Edition:

The following steps will help to reduce the possibility of this vulnerability being exploited:

1. Limit URL and JavaScript rewriting to specific domains

    a. Within the management GUI, navigate to the Access Gateway, Global Settings node and select the Configure Domains for Clientless Access option.

    b. Select the Allow domain radio button and add the names of trusted intranet domains such as “mycompany.net”.

    c. Click Ok.

2. Block the VPN server from accessing remote domains

    a. Within the management GUI, navigate to the Access Gateway, Policies, Authorization node and click Add.

    b. In the Create Authorization policy dialog box, create a policy, for example “allow_only_intranet_addresses”.

    c. Click the Add button and add expressions to allow only intranet IP addresses, for example “req.ip.destip == 10.0.0.0 -netmask 255.0.0.0 || req.ip.destip 192.168.0.0 -netmask 255.255.0.0”.

    d. When these expressions have been added, click Create.

    e. Navigate to the Access Gateway, Groups node and click Add. In the Create AAA group dialog box, create a group, for example “defaultAuthorizationGroup”, and click the Create button.

    f. Navigate to the Authorization tab, click on Insert Policy, select the allow_only_intranet_addresses policy and click Ok. Repeat the policy inserting for all other groups configured on the appliance.

    g. Navigate to the Access Gateway, Global Settings node and click on Change global settings link under Settings. Select the Security tab and ensure that the Default Authorization Action is set to Deny Click on Advanced link at the bottom add the defaultAuthorizationGroup group to Authorization Groups

3. Disable URL hiding

    a. Within the management GUI, navigate to Access Gateway, Global Settings and select the Change global settings link under Settings In the Client Experience tab.

    b. Select the Clear option for Clientless Access URL Encoding and press Ok.

Access Gateway Advanced Edition:

The following steps will help to reduce the possibility of this vulnerability being exploited:

    1. Block the VPN server from accessing remote domains.

    a. By default, the AAC does not allow the accessing of remote domains unless the remote domain is added as a web resource, and is configured with the corresponding access policies. Access to remote domains can be blocked by removing the entries from the allowed web resources, or by explicitly denying access to these domains using an Access Policy for the given resource.

    2. Disable URL re-writing features

    a. The URL re-writing feature can be disabled for a given web resource by setting Bypass URL rewriting to Allowed in policy settings for corresponding Access Policy.

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability

Related:

  • No Related Posts

Leave a Reply