Citrix's Access Gateway solution provides an SSL based VPN via the Web browser. This is accomplished through the use of an ActiveX control. The control itself is provided by the server upon connecting. Access Gateway functionality is provided by several models of Access Gateway Appliances. For more information, visit the URL referenced below.
Remote exploitation of an arbitrary library loading vulnerability in Citrix Systems, Inc.'s Access Gateway Client ActiveX control allows remote attackers to execute arbitrary code.
The vulnerability exists within the ActiveX control with the following identifiers:
CLSID: 181BCAB2-C89B-4E4B-9E6B-59FA67A426B5 ProgId: NSEPA.NsepaCtrl.1 File: %WINDIR%Downloaded Program Filesnsepa.ocx
When processing HTTP header data provided by the Access Gateway server, the client ActiveX control loads a dynamic link library (DLL) without first ensuring that it is from a trusted source. Rather than validating that the DLL has a valid signature, the ActiveX control only checks the canonical name of the certificate used for signing. By signing a DLL with a self-signed certificate using one of the allowed names, an attacker can execute arbitrary code.
Exploitation allows attackers to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, a targeted user must load a malicious Web page created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites.
Additionally, a targeted user must have this control already installed or must accept several warning prompts at the time that the attack is taking place. This control is not on the white list included with Internet Explorer 7.0. More information can be found at the following URL.
This particular control also has an additional prompt inquiring whether or not the user wishes to allow an "Endpoint Analysis" scan. The options presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always Allow" can lead to exploitation. Clicking "No" can not result in exploitation. Also, clicking "Always Allow" will create a registry key enabling automatic scanning for all future uses of the control.
The following versions of Citrix Access Gateway Enterprise Edition are vulnerable:
Setting the kill-bit for this control will prevent it from being loaded within Internet Explorer. However, doing so will prevent legitimate use of the control.
Citrix has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
07/01/2009 Initial Vendor Notification
07/02/2009 Initial Vendor Reply
07/14/2011 Coordinated Public Disclosure
This vulnerability was discovered by Joshua J. Drake of iDefense Labs.
Get paid for vulnerability research
Free tools, research and upcoming events
Copyright © 2011 Verisign, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.