Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Citrix Command Center - Credential Disclosure Vulnerability

🗓️ 20 Mar 2015 00:00:00Reported by Han SahinType 
zdt
 zdt🔗 0day.today👁 26 Views

Citrix Command Center stores credentials in web-accessible folder, allowing unauthenticated attackers to download and decode passwords, gaining privileged access to managed devices

Code
Abstract
 
 
It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.
 
Tested version
 
 
This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.
 
Fix
 
 
Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html
 
Citrix assigned BUG0493933 to this issue.
 
Introduction
 
 
Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.
 
Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. No access control is enforced on this folder, an unauthenticated attacker can download any configuration file stored in this folder.
 
Details
 
 
Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.
 
https://<target>:8443/conf/securitydbData.xml
 
This files contains encoded passwords, for example:
 
<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>
 
 
These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.

#  0day.today [2018-04-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Mar 2015 00:00Current
7.1High risk
Vulners AI Score7.1
citrix command centercredential disclosurevulnerabilityweb serverunauthenticated attackersconfiguration filesaccess controlprivileged accessexploit
26