Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure

`Advisory ID: SYSS-2020-004  
Product: Citrix Gateway  
Manufacturer: Citrix Systems, Inc.  
Affected Version(s): 11.1, 12.0, 12.1  
Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18  
Vulnerability Type: Information Exposure Through Caching (CWE-512)  
Risk Level: Information Disclosure  
Solution Status: Open  
Manufacturer Notification: 2020-01-31  
Solution Date: no solution  
Public Disclosure: 2020-03-05  
CVE Reference: CVE-2020-10110  
Author of Advisory: Micha Borrmann (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
"Citrix Gateway is a customer-managed solution that can be deployed on  
premises or on any public cloud, such as AWS, Azure, or Google Cloud  
Platform. Citrix Gateway provides users with secure access and single  
sign-on to all the virtual, SaaS and web applications they need to be  
productive." (see [1])  
  
The solution contains a caching system which shows how long an entry  
was in the cache.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
Some responses of the web based solution are handled with an included  
caching system. This system can be seen in the HTTP response header.  
The header also contains information, how long the response was in the  
cache. The number of seconds will never exceed the value of 112.  
After that period of time, the cache will be refreshed with an  
additional client request.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
$ curl --include --url https://$NSGATEWAYHOST/logon/themes/Default/resources/config.xml  
HTTP/1.1 200 OK  
Age: 21   
Date: Fri, 31 Jan 2020 11:53:17 GMT  
Expires: Thu, 01 Jan 1970 00:00:01 GMT  
Cache-Control: no-store, must-revalidate  
Connection: Keep-Alive  
Via: NS-CACHE-10.0: 121  
ETag: "12a-59c921b8df640"  
Server: Apache  
X-Frame-Options: SAMEORIGIN  
Last-Modified: Mon, 20 Jan 2020 13:17:05 GMT  
Accept-Ranges: bytes  
Content-Length: 298  
X-Citrix-Application: Receiver for Web  
Pragma: no-cache  
Keep-Alive: timeout=15, max=95  
Content-Type: application/xml  
  
<?xml version="1.0" encoding="utf-8" ?>  
<ResourceManager>  
<SupportedLanguageList>  
<Language>en</Language>  
<Language>de</Language>  
<Language>es</Language>  
<Language>fr</Language>  
<Language>ja</Language>  
<Language>zh-CN</Language>  
</SupportedLanguageList>  
</ResourceManager>  
  
The "Via" header indicates that there is a caching system in place. The  
"Age" header shows how many seconds the initial request was processed.  
A value of 1 indicates that the response is sent from the web server  
instead of from the cache.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
SySS GmbH is not aware of a solution to the described security issue.  
The Citrix Security Response Team responded on 02/28/2020 with the  
following statement: "We have determined that the described cache  
behavior does not have a security impact and is not considered a  
vulnerability."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2020-01-22: Detection of the vulnerability  
2020-01-31: Vulnerability reported to manufacturer  
2020-02-28: Received vendor's response  
2020-03-04: CVE number assigned  
2020-03-05: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Citrix Gateway product website  
https://www.citrix.com/products/citrix-gateway/  
[2] SySS Security Advisory SYSS-2020-004  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-004.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Micha Borrmann of SySS GmbH.  
  
E-Mail: micha.borrmann (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc  
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as  
possible. The latest version of this security advisory is available on  
the SySS Web site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
`