Solved

Citrix Access Gateway allows security scan bypass

Posted on 2006-06-08
10
1,671 Views
Last Modified: 2008-01-09
There appears to be a major security hole in the Citrix Access Gateway 4.2 Pre-Authentication Policy "pre-scan" capability, and I'm hoping someone knows how to close that gaping hole. If the policy is turned on (e.g. to detect viruses, keyloggers, etc. or to block certain types of workstations) and the scan fails, the user is appropriately redirected to a failure page (https://fqdn/__prescan_failed.html). However, if they modify that URL, replacing "failed" with anything else, then they are allowed past the scan and can then login.

This is a big concern on two levels:
 (1) if a legitimate user with a keylogger unwittingly install bypasses the scan, someone now has their login credentials
 (2) if an unwanted user who should have been blocked bypasses the scan, they can now hack away at the Citrix server login

Citrix has known about this since at least February and hasn't fixed it yet and won't commit to a fix date. (If a vendor like Microsoft had the same lack of response to a far lesser security hole, they would be raked across the coals in the mainstream media and blogs around the world.)

Does anyone have a workaround to prevent someone from continuing past the Citrix scan failure page?
0
Comment
Question by:ET0000
  • 4
  • 4
10 Comments
 
LVL 18

Expert Comment

by:mgcIT
ID: 16872949
where's the citrix article about this... I'd be interested to read what they have said...

thanks
0
 
LVL 13

Accepted Solution

by:
gsgi earned 500 total points
ID: 16878505
I am no expert in this, and I may be completely wrong, but why wouldn't simple url blocking in the exerterior firewall prevent that?
It might be tricky, to get _prescan_failed to be allowed and _prescan_* to be rejected, but perhaps it's possible?
Perhaps blocking all urls beginning _prescan would still allow the redirect, but prevent them from changing it?

-gsgi
0
 
LVL 13

Author Comment

by:ET0000
ID: 16880234
My original description should have said "if they modify that URL, for example, replacing "failed" with anything else, then they are allowed past the scan and can then login." The modification doesn't have to leave "_prescan_" in place -- it appears that any modification to the latter part of the URL allows them past the scan failure page, so it looks like it is contextual, rather than specific URLs, and I'm not sure the external firewall rules will accomodate the contextual blocking.

I will look into that, but am open to other ideas in case it doesn't pan out.
0
 
LVL 13

Author Comment

by:ET0000
ID: 17607445
The current information from Citrix is that for current commercial versions of the Citrix Access Gateway, you need to upgrade to the Advanced Access Control Option licenses to avoid this gaping security hole. An upcoming version of CAG (currently in beta) is supposed to add this expected functionality to the basic version; this version may be available in October.

In email communications, although Citrix staff acknowledged this is a bug, they were very careful not to call this problem a "security" problem (and even warned each other not to refer to it that way) -- apparently because calling it that would have required them to fix it in a much more reasonable timeframe. I'm still amazed that a company like Citrix can get away with leaving a security hole open for at least 8 months (and many CAGs will still have the hole after the new version is released).  

Technically, gsqi's response is probably correct -- it may be possible to set up URL-based firewall rules to prevent bypassing the security, so I'll accept that answer (but that is way more effort than one should have to put into using a feature in a commercial product).
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:gsgi
ID: 17607524
it's a real kick in the pants to get points from a higher ranked expert, and highly respected EE contributor such as ET0000.  it is too bad that they (commerical big wig software/hardware people) force us to implement hokey security work arounds, but what else can we do?  Thanks ET0000.  I am sorry that no one has a real / better solution to your issue.   -gsgi




0
 
LVL 13

Author Comment

by:ET0000
ID: 17608772
gsqi, Thanks for your kind words (but I expect our order in the rankings to be reversed at some point in the future). We have paid for the AACO licenses, even though we don't plan to use the additional features -- several thousand dollars is the price we've paid for a real solution. Thanks for your suggestion.
0
 
LVL 13

Expert Comment

by:gsgi
ID: 17609541
to get around all key loggers, why don't they put a keyboard on the screen, and make you click in your username and password?
or
use one of the randomizer things that people carry with them and the code updates every 15 seconds - so if an old code is logged, who cares
or
put a radius server in front of citrix, and set it up with a globally changing password that everybody could figure out in their head.

that thing is scanning for known viruses and known keyloggers, right...
0
 
LVL 13

Author Comment

by:ET0000
ID: 17611350
There is spyware that deals with those on-screen keyboards -- it captures a small area right around the mouse when the user visits certain websites and sends a playback of clicks to the hacker. This is geared toward banks, usually in Europe, to get people's passwords.

The randomizers may be a partial solution, but because they usually involve also supplying a userid/password, someone can get a valid userid and password. That isn't useful for anything that requires the randomizer, but it may get them into other systems. We have started using these for some apps, but it really needs to be pervasive in the organization to be completely effective.

If there are rules to determine a password, then a stupid or disgruntled employee will document those rules where they shouldn't, so the changing-password approach would probably be compromised fairly quickly.

Security is tricky, so it doesn't surprise me that there are gaps and mistakes even from big companies, but it does surprise me when companies leave those known gaps open for extended periods of time.
0
 
LVL 13

Expert Comment

by:gsgi
ID: 17611773
Ah, you are good. (of course, I already knew that)  And you are teaching me holes I didn't know about ...  spyware for screen keyboards...

Can the get around those wacky - "enter the strange letters that you see in this box" - i realize a human would but does this stop automated attacks against logged passwords?

How about a bootable linux distro that sets up a ipsec based vpn to the router that allows whomever to then log in.  Since it is a bootable cd os, no viruses or spyware.  It could be basically a vpn client and a ica program.  It is also a key of sorts - you must have the cd.

Every few months, you could change the peerid on the ipsec tunnel, and release a new cd.

I suppose this is unmanageable for a big company?

My buddy, an IT director, thinks someone should make a thin clinet device that runs a web browser ... which is kind of what my cd idea makes a powerful computer into.

-gsgi

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Citrix XenDesktop, gold image, VMware, vSphere.
#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now