Citrix has some interesting products like XenApp, which allow people to access corporate application from tablets, Windows Terminals and also Windows servers and PC. Depending on how are you using them, you might be creating vulnerabilities to your information assets.
Let's talk about published applications on Citrix with no extra authentication factor in place, which corresponds to the majority of cases. Since people tend to use mobile devices these days and also when they are big bosses in the company they want to handle their information in the most easy way, most of them requires IT to publish the ERP payments module, because they can authorize them from any place in any situation that allows them to have two minutes to perform the operation. If the company happens to handle lots and lots of money, attackers might talk to any inside employee willing to have some extra money. First thing to do is to determine if the Citrix Farm linked to the Citrix Access Gateway where the user is being authenticated publishes the ERP Payment Application. How can you you do that? you can use the citrix-enum-apps nmap script. The syntax follows: nmap -sU --script=citrix-enum-apps -p 1604 citrix-server-ip If the attacker gets an output like the following, the company could be definitely in big problems:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-21 17:38 Hora est. Pacífico, Sudamérica Bingo! Provider payments is being published. All we need to do is perform good-old-man-in-the-middle to the IIS Server and we will have a username/password to generate random payments. How can you remediate this situation?
Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 194 Posts ISC Handler Jan 21st 2014 |
Thread locked Subscribe |
Jan 21st 2014 6 years ago |
You wrote:
"I will never have my identity stealed". s/stealed/stolen/ [G,D,RLH] |
Anonymous |
Quote |
Jan 22nd 2014 6 years ago |
Then again, he *did* say it was a misconception...
|
Vincent T 14 Posts |
Quote |
Jan 22nd 2014 6 years ago |
I'll speak as a Citrix Architect and say if you are exposing the legacy UDP 1604 to the internet you have are asking to be owned. This has be a depreciated method of enumerating applications for at least 5 years. I would consider this a non issue, except for the quantity of unsupportable legacy crap I see enterprises still calling mission critical. If you are doing something crazy like putting Citrix servers (or any windows box for that matter) on the internet with a public IP or unfirewalled 1-1 NAT you will get what you deserve. If you have business critical data on a Metaframe 3.0 box you will also see fail. As an IT admin that has been placed in the position of "supporting" this kind of stuff, I know in my heart that the business unit that will not fund the upgrade is responsible when this falls down. The reality is that IT will be faulted for not securing it. Ramblings of the Citrix Goon...
|
itrixoon 2 Posts |
Quote |
Jan 23rd 2014 6 years ago |
It does appear that the usage of port 1604 has been deprecated from Citrix, but when installing the latest version of XenApp a firewall port rule is added by the installer which opens inbound UDP port 1604. So whether or not Citrix uses it, the installer opens it, for everyone. The concern that is raised in the post is that internal staff may be recruited to assist in the process. Now whether you expose your XA site to the internet or not doesn't matter. It seems prudent to first try disabling the port altogether, if that is unacceptable restricting it to specific inbound IPs would be a good second approach.
|
djs191 1 Posts |
Quote |
Jan 23rd 2014 6 years ago |
Xendesktop 7.1 has a new architecture and if the installer is still opening 1604 on the DDCs then I'll throw Citrix a ticket ASAP. There is no service behind it in any case so the risk is low. In 6.5 you have session hosts (that do not run any enumeration services) and brokers which can do enumeration. Depending on your needs, you can build a wall around your brokers and only let the session hosts and your front ends speak to them. I am not near a 6.5 installation but the UDP support ended in 5.0 in my recollection. If you are running 6.0 we will have a moment of silence for your pain...
|
itrixoon 2 Posts |
Quote |
Jan 24th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!