3

Are there any security weaknesses associated with using Citrix XenApp 6.5, Citrix Storefront and Citrix Receiver as a remote access tool?

I.e, I know it uses RC4-MD5 and DES-CBC3-MD5 ciphers, which are considered to be a weak cipher.

Any other flaws?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
KimberleyK
  • 459
  • 1
  • 6
  • 12
  • 2
    Have you researched CVEs associated with Citrix? – schroeder Jun 26 '15 at 00:30
  • Wouldn't most of the common Citrix-specific vulnerabilities and exposures listed on the Internet be fixed by Citrix in the latest patch? – KimberleyK Jun 26 '15 at 00:36
  • I'll have a look and see if there are any large, obvious risks, like Citrix Receiver failing to check whether your computer is infected with a virus before allow remote connections. Watch this space! – KimberleyK Jun 26 '15 at 00:38
  • Sorry - I realise this is probably a really silly question, but to save me spending 20 hours on google, how does the CVE system work? Where would I find a CVE related to Citrix Receiver? If this really is a silly question and the answer is easy to find, just tell me I'm an idiot and I will go and look it up myself. – KimberleyK Jun 26 '15 at 01:04
  • You wrote "large, obvious risks, like Citrix Receiver failing to check whether your computer is infected". Please note that Receiver does not do this. And is not even supposed to. – StackzOfZtuff Jun 26 '15 at 08:36
  • You wrote "I know it uses RC4-MD5 and DES-CBC3-MD5". I was unaware of that. Do you have a link for that? – StackzOfZtuff Jun 27 '15 at 05:42
  • Hi StackzOfZtuff. So when you're connected remotely through Citrix Receiver, there is a chance your computer is infected and all the connections and data passed through via your remote connection is not completely secure? I'm going to research this so stay posted for more answer. In reply to your 'RC4-MD5 and DES-CBC3-MD5' question, I recall it being from a reputable source, but I'll see if I can track down the original information for you. – KimberleyK Jun 28 '15 at 06:13
  • @KimberleyK. Yes. Receiver does not know or care about the client's health. I don't know of any automated tool to infect a server via an infected Citrix client, though. What can happen though is, that an infected server may infect the client. Because the server may see the client's drives. – StackzOfZtuff Jul 02 '15 at 08:58

2 Answers2

4

There are many vulnerabilities, CVE or not, in all of Citrix's products -- http://www.cvedetails.com/product-list/vendor_id-422/Citrix.html -- but I would especially target each with tools such as Burp Suite Professional (copying or modifying HTTP headers appropriately, such as replaying a User-Agent header), or, if Windows, you will want to use a tool such as FuzzLabs -- http://fuzzlabs.dcnws.com -- perhaps along with a debugger or fault monitor, such as Immunity Debugger. The book, "Windows Stack Exploitation" goes in depth with the latter. There are also five clever Nmap NSE scripts: citrix-brute-xml, citrix-enum-servers, citrix-enum-servers-xml, citrix-enum-apps, and citrix-enum-apps-xml and a great third-party contributed NSE script: vulscan.

Yokoso has fingerprints for some Citrix services -- http://yokoso.inguardians.com -- These signatures are also likely to be in the Nmap http-enum NSE script.

metasploit-framework has:

use .*citrix_stream <tab>, <tab> <tab> (for port 6905)
use .*citrix_access <tab> (for port 443 in a Citrix environment)
use .*citrix_pub <tab>, <tab> <tab> (for port 1604)

Nessus has:

exploit-db has:

Some of the best work I've seen is the seminal work on July 2009 and July 2008 from InsomniaSec (Brett Moore, et al) -- https://www.insomniasec.com/releases -- check out the prezos "Heaps about Heaps" and "Hacking Citrix".

atdre
  • 18,885
  • 6
  • 58
  • 107
0

Citrix XenApp had a number of vulnerabilities which have been updated. These are listed in Citrix XenApp CVE list. Furthermore, latest updates were released to patch security vulnerabilities such as the HeartBleed. Citrix offers Security Bulletins which is useful to keep up-to-date with the latest security patches.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
ccutmt
  • 1
  • It is interesting how Citrix chooses to work through their proprietary security bulletins instead of through the NVD and/or CERT/CC standard processes. – atdre Sep 22 '15 at 15:14