182 views
Sep 18

Citrix Access Gateway Advanced Access Control LDAP Authentication Bypass

Citrix No Comments »

So just in case you are not aware, this would appear to ONLY be a Security issue where you have AAC AND you are using LDAP Authentication, but it’s probably worth checking the list of Fixes?

FrSIRT Advisory

Technical Description
A vulnerability has been identified in Citrix Access Gateway, which could be exploited by attackers to bypass security restrictions. This flaw is due to an error in the Advanced Access Control option (AAC) when configured to use LDAP authentication, which could be exploited by attackers to gain unauthorized access to a vulnerable application without supplying valid credentials.
Affected Products
Citrix Access Gateway with Advanced Access Control version 4.2
Solution
Apply hotfix AAC420W004 :
http://support.citrix.com/servlet/KbServlet/download/11002-102-15244/AAC420W004.zip
References
http://www.frsirt.com/english/advisories/2006/3643
http://support.citrix.com/article/CTX110950
http://support.citrix.com/article/CTX110439
Credits
Vulnerability reported by the vendor

Fixes….

  1. Allowing Web resources to bypass Web proxy URL rewriting can be accomplished using policies. Previously, the option Bypass Web proxy URL rewriting was located in the New Web Resource wizard. Modifying this option required you to edit the properties of each Web resource. By installing this fix, you can allow Web resources to bypass Web proxy URL rewriting based on the access scenario rather than on the Web resource. Using policies to configure URL rewriting for Web resources may be appropriate if, for example, you have resources that users access from both internal and external logon points. Using this hotfix allows you to bypass Web proxy URL rewriting for resources accessed through the internal logon point.

    After you install this fix, the option Bypass Web proxy URL rewriting no longer appears on the New Web Resource wizard. Instead, the fix migrates this option, now called Bypass UrlRewriting, to the policy properties. If you configured existing Web resources to bypass Web proxy URL rewriting prior to installing the hotfix, the Bypass UrlRewriting policy setting is enabled and set to Allowed in policies that affect those Web resources after installation. For existing Web resources that do not bypass Web proxy URL rewriting, the Bypass UrlRewriting policy setting is set to Not Configured. If you have a policy that includes two or more Web resources with differing URL rewriting settings (for example, two resources bypass the Web proxy and three resources do not), the Bypass UrlRewriting policy setting is set to Not Configured after installing the hotfix.

    To allow a Web resource to bypass Web proxy URL rewriting:

    1. From the Access Suite Console, expand Policies and then double-click the policy affecting the Web resource. If no policy exists, click Create access policy under Common Tasks.
    2. On the Settings page, select Bypass UrlRewriting and then select Enable this policy to control this setting.
    3. Select the option to allow the setting.

    To enable Web proxy URL rewriting, select the option to deny the setting or clear the Enable this policy to control this setting checkbox.

    [From AAC420W001][#128416]

  2. This hotfix introduces a usability enhancement that allows users who change their password and are prompted by the access center for their old passwords to reset their profiles, then log on to the access center. Their personalized settings and cached credentials are discarded. After installing this hotfix, import the updated Access Center CDA cab file on the server running Citrix Advanced Access Control. To do this:
    1. In the Access Suite Console, right click Access Centers and select Manage CDAs.
    2. Select Import and browse to Program Files\Citrix\Access Gateway\Bin\ctxcdaSessionInit.CAB and then press Open.

    [From AAC420W002][#122742]

  3. The Program Neighborhood CDA cannot maintain stored credentials after an administrator makes changes on the Access Suite Console for the access center.

    [From AAC420W002][#129946]

  4. This fix introduces support for Universal Principal Names (UPN), such as user@domain.com, as a method of authenticating to logon points. To enable or disable UPN support, you must set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MSAM\WebProxy

    Name: EnableUPNUsernamesForWebResources
    Type: REG_DWORD
    Data: 1 (to enable UPN support) or 0 (to disable UPN support)

    Additionally, modify the web.config file for CitrixLogonAgent to hide the domain field on the logon page.

    <add key="HideDomainField" value="true" />.

    Finally, you can add this line item to allow the UPN formatted username to be passed to RSA. Without this only the username is sent.

    <add key="SendCompleteUserNameToRSA" value="true" />

    [From AAC420W002][#130576]

  5. After applying this fix, users are required to enter their old password when prompted in order to gain access to the Access Center and cannot bypass this screen using the browser’s back button.

    [From AAC420W002][#129893]

  6. After applying this fix, users whose passwords are set by an administrator to be both blank and changed at next logon can correctly change their passwords the next time they log on.

    [From AAC420W002][#129609, 130928]

  7. The network resource 0.0.0.0 is denied by default.

    [From AAC420W002][#132297]

  8. After applying this hotfix, users no longer have access rights to AAC shares and content when their NTFS permissions are removed.

    [From AAC420W002][#129710]

  9. After applying this hotfix, attachments via email can be performed from an AAC share. No longer does the service account need to be explicitly set as a NTFS security member of that share.

    [From AAC420W002][#131502]

  10. Policy checks for resources that use token replacement are case sensitive.

    [From AAC420W002][#130048]

  11. Session data can be sent in the form of browser cookies to third party web sites when using the Web Proxy.

    [From AAC420W002][#95586]

  12. Tasks, such as Check In, Check out, and Version History which are associated with the Document Library of a Sharepoint site may not be available for use.

    [From AAC420W003][#134191]

  13. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX110950.

    [From AAC420W004][#131634]

  14. If a user adds or removes a subfolder in a file share exposed through the File System Browser, other users cannot see that the subfolder was added or removed. The issue occurs because the program maintains a cache of file and subfolder names in the published file shares to reduce the time it takes to display them to each user; the cache does not reflect changes at the subfolder level.

    [From AAC420W004][#134244]

written by dcaddick