The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Citrix Workspace App For Linux 2212 Credential Leak
# Citrix Linux client credential leak
The Citrix Linux client emits its session credentials when starting a Citrix
session. These credentials end up being recorded in the client's system log.
Citrix do not consider this to be a security vulnerability.
# Software affected
- Citrix Workspace App for Linux versions 2212.
Other versions are likely affected.
# Context
When connecting to a Citrix session via a web browser such as Firefox on Linux,
typically you access a web application known as Citrix Storefront. This
provides clickable icons for the applications and remote desktop sessions
available to you.
When you click on one of these, your browser is instructed to open a URL of the
form `receiver://.....` which is handled using `/opt/Citrix/ICAClient/util/ctxwebhelper`.
`ctxwebhelper` parses the URL and uses the decoded information to make a HTTP
GET request to the remote server for an 'ica' file, which contains the
connection details necessary to launch the Citrix client software,
`/opt/Citrix/ICAClient/wfica`.
The ICA file contains details such as the server hostname and temporary session
credentials needed to authenticate the session.
# The issue
When making the GET request to retrieve the ICA file, `ctxwebhelper` echos the
full HTTP response (headers & body) to standard output, which ends up feeding
into journald and then into the system log files.
This can be demonstrated by connecting to a Citrix session and running:
grep receiver\\.desktop.*LogonTicket= /var/log/syslog
which will produce output such as
2023-01-12T11:15:46.816466+00:00 myhostname receiver.desktop[9999]: LogonTicket=1234567890ABCDEF1234567890ABCD
# Vendor response
Citrix responded to my report on 2023-01-05 to say they do not consider this a product vulnerability:
Thank you for bearing with us. We have concluded the security
investigation into the reported issue and determined that the contents
of /var/log/syslog can only be read or written by root user, or a
syslog user or an adm group but not by an unprivileged user. As a
result, we do not consider this finding as a vulnerability in the
product.
We would like to thank you for submitting the finding and helping to
keep Citrix customers safe.
Best Regards,
Citrix Security Response Team
This is short-sighted in my opinion - logs should not be considered safe places
to store credentials, even temporary ones.
# Workaround
Since Citrix do not consider this a vulnerability it seems unlikely this behaviour will change.
You can work around this issue by replacing ctxwebhelper with a wrapper script
that either discards or filters its output.
First, rename `ctxwebhelper`:
mv /opt/Citrix/ICAClient/util/ctxwebhelper /opt/Citrix/ICAClient/util/ctxwebhelper.real
Next, place a script in its place, which first redirects stdout and stderr to /dev/null before executing the real `ctxwebhelper`:
#!/bin/bash
set -eu
exec &>/dev/null
"$(dirname "$0")"/ctxwebhelper.real "$@"
Don't forget to `chmod +x /opt/Citrix/ICAClient/util/ctxwebhelper` after doing this.
This script is available from this repository - see `ctxwebhelper.wrapper`.
Note that this will be overwritten if the Citrix client is reinstalled.
# Timeline
2022-12-11: Issue disclosed to Citrix via email to [email protected]
2022-12-13: Citrix acknowledges receipt of the report, assigns identifier `CASE-8324`.
2023-01-05: Citrix reponds to say they do not consider it a vulnerability.
2023-01-07: Reply to Citrix requesting they reconsider their assessment.
2023-01-14: Public disclosure.
# Author
Russell Howe. [Github](https://github.com/rhowe) [Twitter](https://twitter.com/rhowe212).
ctxwebhelper.wrapper:
#!/bin/bash
# Brexit flags
set -eu
# Ensure stdout and stderr are discarded
exec &>/dev/null
# Execute the real ctxwebhelper
"$(dirname "$0")"/ctxwebhelper.real "$@"
Footer
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum