Citrix Access Gateway allows security scan bypass

There appears to be a major security hole in the Citrix Access Gateway 4.2 Pre-Authentication Policy "pre-scan" capability, and I'm hoping someone knows how to close that gaping hole. If the policy is turned on (e.g. to detect viruses, keyloggers, etc. or to block certain types of workstations) and the scan fails, the user is appropriately redirected to a failure page (https://fqdn/__prescan_failed.html). However, if they modify that URL, replacing "failed" with anything else, then they are allowed past the scan and can then login.

This is a big concern on two levels:
 (1) if a legitimate user with a keylogger unwittingly install bypasses the scan, someone now has their login credentials
 (2) if an unwanted user who should have been blocked bypasses the scan, they can now hack away at the Citrix server login

Citrix has known about this since at least February and hasn't fixed it yet and won't commit to a fix date. (If a vendor like Microsoft had the same lack of response to a far lesser security hole, they would be raked across the coals in the mainstream media and blogs around the world.)

Does anyone have a workaround to prevent someone from continuing past the Citrix scan failure page?
LVL 13
ET0000Asked:
Who is Participating?
 
gsgiCommented:
I am no expert in this, and I may be completely wrong, but why wouldn't simple url blocking in the exerterior firewall prevent that?
It might be tricky, to get _prescan_failed to be allowed and _prescan_* to be rejected, but perhaps it's possible?
Perhaps blocking all urls beginning _prescan would still allow the redirect, but prevent them from changing it?

-gsgi
0
 
mgcITCommented:
where's the citrix article about this... I'd be interested to read what they have said...

thanks
0
 
ET0000Author Commented:
My original description should have said "if they modify that URL, for example, replacing "failed" with anything else, then they are allowed past the scan and can then login." The modification doesn't have to leave "_prescan_" in place -- it appears that any modification to the latter part of the URL allows them past the scan failure page, so it looks like it is contextual, rather than specific URLs, and I'm not sure the external firewall rules will accomodate the contextual blocking.

I will look into that, but am open to other ideas in case it doesn't pan out.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ET0000Author Commented:
The current information from Citrix is that for current commercial versions of the Citrix Access Gateway, you need to upgrade to the Advanced Access Control Option licenses to avoid this gaping security hole. An upcoming version of CAG (currently in beta) is supposed to add this expected functionality to the basic version; this version may be available in October.

In email communications, although Citrix staff acknowledged this is a bug, they were very careful not to call this problem a "security" problem (and even warned each other not to refer to it that way) -- apparently because calling it that would have required them to fix it in a much more reasonable timeframe. I'm still amazed that a company like Citrix can get away with leaving a security hole open for at least 8 months (and many CAGs will still have the hole after the new version is released).  

Technically, gsqi's response is probably correct -- it may be possible to set up URL-based firewall rules to prevent bypassing the security, so I'll accept that answer (but that is way more effort than one should have to put into using a feature in a commercial product).
0
 
gsgiCommented:
it's a real kick in the pants to get points from a higher ranked expert, and highly respected EE contributor such as ET0000.  it is too bad that they (commerical big wig software/hardware people) force us to implement hokey security work arounds, but what else can we do?  Thanks ET0000.  I am sorry that no one has a real / better solution to your issue.   -gsgi




0
 
ET0000Author Commented:
gsqi, Thanks for your kind words (but I expect our order in the rankings to be reversed at some point in the future). We have paid for the AACO licenses, even though we don't plan to use the additional features -- several thousand dollars is the price we've paid for a real solution. Thanks for your suggestion.
0
 
gsgiCommented:
to get around all key loggers, why don't they put a keyboard on the screen, and make you click in your username and password?
or
use one of the randomizer things that people carry with them and the code updates every 15 seconds - so if an old code is logged, who cares
or
put a radius server in front of citrix, and set it up with a globally changing password that everybody could figure out in their head.

that thing is scanning for known viruses and known keyloggers, right...
0
 
ET0000Author Commented:
There is spyware that deals with those on-screen keyboards -- it captures a small area right around the mouse when the user visits certain websites and sends a playback of clicks to the hacker. This is geared toward banks, usually in Europe, to get people's passwords.

The randomizers may be a partial solution, but because they usually involve also supplying a userid/password, someone can get a valid userid and password. That isn't useful for anything that requires the randomizer, but it may get them into other systems. We have started using these for some apps, but it really needs to be pervasive in the organization to be completely effective.

If there are rules to determine a password, then a stupid or disgruntled employee will document those rules where they shouldn't, so the changing-password approach would probably be compromised fairly quickly.

Security is tricky, so it doesn't surprise me that there are gaps and mistakes even from big companies, but it does surprise me when companies leave those known gaps open for extended periods of time.
0
 
gsgiCommented:
Ah, you are good. (of course, I already knew that)  And you are teaching me holes I didn't know about ...  spyware for screen keyboards...

Can the get around those wacky - "enter the strange letters that you see in this box" - i realize a human would but does this stop automated attacks against logged passwords?

How about a bootable linux distro that sets up a ipsec based vpn to the router that allows whomever to then log in.  Since it is a bootable cd os, no viruses or spyware.  It could be basically a vpn client and a ica program.  It is also a key of sorts - you must have the cd.

Every few months, you could change the peerid on the ipsec tunnel, and release a new cd.

I suppose this is unmanageable for a big company?

My buddy, an IT director, thinks someone should make a thin clinet device that runs a web browser ... which is kind of what my cd idea makes a powerful computer into.

-gsgi

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.