############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Access Gateway (Appliance) a.k.a. CAG # Vendor: Citrix # CVE ID: CVE-2007-4018 (CTX113816) # Subject: Redirection Vulnerability # Severity: Medium # Effect: Remotely exploitable # Author: Cyrill Brunschwiler # Date: April 15th 2008 # ############################################################# Introduction: ------------- Vulnerabilities have been identified in Access Gateway Advanced Edition that may allow an attacker to redirect a user to an arbitrary web site. It may be possible for an attacker to exploit this type of behavior to facilitate phishing attacks. Affected: --------- These vulnerabilities affect all versions of Access Gateway Advanced Edition when deployed with an Access Gateway appliance with firmware version up to and including 4.5.2. Access Gateway Standard and Access Gateway Enterprise Editions are not vulnerable to these issues. - Access Gateway 4.5 Advanced Edition - Access Gateway 4.5 Standard Edition - Advanced Access Control 4.2 Description: ------------ Client web browsers will be redirected to the SSL protected web service in case the remote user requested an unencrypted CAG web page. This behavior helps to ensure that further data packets will be transmitted over encrypted (SSL) channels only. However, if an attacker spoofs the virtual domain header then the client gets redirected to the spoofed domain. This allows various forms of hijacking and phishing. host:~ # netcat 123.123.123.123 80 GET / HTTP/1.1 host: www.hacker.org HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Connection: close Accept-Ranges: none Location: https://www.hacker.org:443/ CAG is expected to redirect to trusted domains only (to itself or to the customer’s domains only). Patches: -------- This vulnerability has been addressed in the Access Gateway firmware version 4.5.5. Due to this, it is strongly recommends that customers upgrade their Access Gateway appliance to firmware version 4.5.5 and upgrade to Access Gateway Advanced Edition 4.5 HF1. These upgrades can be obtained from the following locations: - Access Gateway Appliance firmware 4.5.5: http://support.citrix.com/article/CTX114028 - Advanced Access Control HF1: http://support.citrix.com/article/CTX112803 Timeline: --------- Vendor Status: Patch released Vendor Notified: June, 14th 2007 Vendor Response: June, 27th 2007 Patch Available: July, 19th 2007 Issue Confirmed: July, 18th 2008 Advisory Release: April, 25th 2008 References: ----------- - CTX113816, Vulnerabilities in CAG Advanced Edition could allow redirection to arbitrary web sites, http://support.citrix.com/article/CTX113816 - AusCERT, Citrix Access Gateway and Advanced Access Control multiple vulnerabilities, http://www.auscert.org.au/render.html?it=7880