---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Citrix Access Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26143 VERIFY ADVISORY: http://secunia.com/advisories/26143/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Citrix Access Gateway 4.x http://secunia.com/product/6168/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Citrix Access Gateway, which can be exploited by malicious people to disclose sensitive information, conduct cross-site request forgery attacks, or to compromise a user's system. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user’s active session. This security issue is reported in Access Gateway Advanced Edition 4.5 and prior. 2) Multiple unspecified errors in client components (Net6Helper.DLL and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access Gateway Standard and Advanced Editions can be exploited to execute arbitrary code in context of the logged-in user. These vulnerabilities are reported in Access Gateway Standard Edition 4.5.2 and prior and Access Gateway Advanced Editions version 4.5 and prior with appliance firmware 4.5.2 and prior. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. Access Gateway Enterprise Edition is reportedly not affected. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. Access Gateway Standard Edition 4.5: http://support.citrix.com/article/CTX114028 Access Gateway Advanced Edition 4.5: http://support.citrix.com/article/CTX112803 The vendor also recommends to remove the following components from client devices: VPN ActiveX components: * Net6Helper.DLL (Friendly name: Net6Launcher Class, version number up to and including 4.5.2) EPA Components (ActiveX): * npCtxCAO.dll (Friendly name: CCAOControl Object, version number up to 4,5,0,0) EPA Components (Firefox plugin): * npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client, present in two locations) PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Martin O’Neal, Corsaire. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------