Multiple vulnerabilities in Citrix Gateway

1) Information disclosure

EUVDB-ID: #VU25816

Risk: Medium

CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-10110

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to some responses of the web based solution are handled with an included caching system. A remote attacker can gain unauthorized access to sensitive information stored in cache.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Citrix NetScaler Gateway: 11.1.41.26 - 12.1.55.18

External links

http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-004.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU25817

Risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-10112

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cache poisoning attacks.

The vulnerability exists due to incorrect processing of HTTP requests that rely on HTTP parameter values. If a client is requesting a URL with parameter "value=A", the parameter will be processed and the response will be cached.  If another client is requesting the same URL but with a different parameter "value=B", the request will be answered with the initial response ("value=A") during the caching time (for 112 seconds).

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Citrix NetScaler Gateway: 11.1.41.26 - 12.1.55.18

External links

http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-005.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU25818

Risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-10111

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cache poising attacks.

The vulnerability exists due to incorrect processing of HTTP requests with different HTTP protocol versions. A remote attacker can send a specially crafted HTTP request and posing the HTTP cache.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Citrix NetScaler Gateway: 11.1.41.26 - 12.1.55.18

External links

http://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-006.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.