Citrix CloudPlatform Unauthorized Access Vulnerability (CTX140989)

2014-12-01T00:00:00
ID CITRIX_CLOUDPLATFORM_MANAGER_CVE-2013-6398.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

Virtual routers created in Citrix CloudPlatform do not preserve the source restrictions in their firewall rules after being restarted. This allows a remote attacker to bypass the intended restrictions and access network resources after a virtual router has been restarted.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(79640);
  script_version("1.3");
  script_cvs_date("Date: 2018/11/15 20:50:16");

  script_cve_id("CVE-2013-6398");
  script_bugtraq_id(64782,69432);

  script_name(english:"Citrix CloudPlatform Unauthorized Access Vulnerability (CTX140989)");
  script_summary(english:"Checks the version and configuration of Citrix CloudPlatform.");

  script_set_attribute(attribute:"synopsis", value:
"The application on the remote web server has an unauthorized access
vulnerability related to virtual routers.");
  script_set_attribute(attribute:"description", value:
"Virtual routers created in Citrix CloudPlatform do not preserve the
source restrictions in their firewall rules after being restarted.
This allows a remote attacker to bypass the intended restrictions and
access network resources after a virtual router has been restarted.");

  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX140989");
  script_set_attribute(attribute:"solution", value:"Upgrade to version 3.0.7 Patch D / 4.2.1.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:cloudplatform");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("citrix_cloudplatform_manager_detect.nbin");
  script_require_keys("installed_sw/Citrix CloudPlatform");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("citrix_cloudplatform.inc");

appname = "Citrix CloudPlatform";
get_install_count(app_name:appname, exit_if_zero:TRUE);
port    = get_http_port(default:8080);

install = get_single_install(app_name:appname,port:port,exit_if_unknown_ver:TRUE);
url     = build_url(port:port, qs:install["path"]);
version = install['version'   ]; # Can only be retrieved with authentication
jsess   = install["JSESSIONID"]; # Should have this if version != UNKNOWN_VER
skey    = install["sessionkey"]; # Should have this if version != UNKNOWN_VER

# 4.2.1.3 / 3.0.7 Patch D we can only get first 3
# version tuples from the api
if((version == "4.2.1" || version == "3.0.7") && report_paranoia < 2)
  audit(AUDIT_VER_NOT_GRANULAR, appname, version);

apibuf  = cloudplatform_api_kb_item(port:port,command:"listRouters",jsessionid:jsess,sessionkey:skey);
if(apibuf == CITRIX_CP_ERROR_COM) audit(AUDIT_RESP_BAD,port);
if(isnull(apibuf)) audit(AUDIT_FN_FAIL,"cloudplatform_api_kb_item");

needs_auth = cloudplatform_needs_authentication(apibuf:apibuf);

has_routers = (
  "listroutersresponse" >< apibuf &&
  "id"                  >< apibuf &&
  "account"             >< apibuf &&
  "podid"               >< apibuf &&
  "zoneid"              >< apibuf
);

if(
  (has_routers || (needs_auth && report_paranoia >= 2))
  &&
  ( # Version ranges
    (version =~ "^4\.2\." && ver_compare(ver:version,fix:"4.2.1",strict:FALSE) <= 0) ||
    (version =~ "^3\."    && ver_compare(ver:version,fix:"3.0.7",strict:FALSE) <= 0)
  )
)
{
  if(report_verbosity > 0)
  {
    report =
      '\n  Installed version : '+version+
      '\n  Fixed version     : 4.2.1.3 / 3.0.7 Patch D';
    # Add a note able requiring authentication
    if(needs_auth)
    {
      report +=
      '\n  Note: The credentials provided have insufficient privileges to ' +
      '\n        determine if virtual routers have been configured.  This ' +
      '\n        flaw only affects virtual routers.';
    }
    security_warning(port:port,extra:report+'\n');
  }
  else security_warning(port:port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url);