[THIN] Re: worst case scenario

• From: Kevin Stewart <kevin.g.stewart@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Tue, 25 Aug 2009 16:41:09 -0400

While I haven't seen any *external* exploits, I have seen a few
vulnerabilities:

I worked with an agency once that was using SSL Relay directly to their
servers. Surprisingly I found out this is pretty common. The problem is that
the user's credentials are in the ICA file, and only weakly encrypted.

Check out: http://www.securiteam.com/securitynews/5XQ0H000CK.html

SSL obviously mitigates a lot of the external threat, but with other means
to procure the user's ICA file, this seemed like a significant
vulnerability.

Web Interface at one time or another was also vulnerable to XSS:
http://www.iss.net/security_center/reference/vuln/HTTP_Nfuse_Script.htm. And
interestingly, because you can launch applications from the URL (*
launch.aspx?Application=Citrix.MPS.App.Farm1.Adobe+Acrobat+Professional*),
there's another XSS potential if the Web Interface is used in a non-standard
way.

As I stated in another post, the key (I believe) to true Citrix security is
the short-lived STA ticket. It isn't 100% safe, but the window of
opportunity is incredibly small.

I think the real security issues for Citrix come from the inside. You can
put as many walls around your castle as you want, but once you let someone
in, and you have to, there's Windows...

Kevin




On Tue, Aug 25, 2009 at 11:53 AM, Greg Reese <gareese@xxxxxxxxx> wrote:

> the worst i have seen is a poorly configured server where users have more
> rights than they should and messes up an install or installs something
> unauthorized.
>
>
> On Tue, Aug 25, 2009 at 10:00 AM, Wilson, Christopher <
> CMWilson@xxxxxxxxxxxxx> wrote:
>
>>  On the security topic still…
>>
>>
>>
>> What is the worst compromise you’ve seen of a Citrix environment?   I’ve
>> never seen one personally.
>>
>>
>>
>> I remember back in the day before CSG etc, we would open 1494 from the
>> outside to our internal Citrix servers.  Citrix used to claim this wasn’t
>> much of an attack vector, but eventually we got CSG and that made it more
>> secure and easier traverse other people’s firewalls.  I’ll stop there, I
>> know there are other measures to secure this traffic, but I’m wondering how
>> much risk are we really talking about with Citrix XenApp?  What’s the worst
>> thing you’ve ever seen?  I’m trying to get a real sense of the risk we need
>> to manage with security measures.
>>
>
>


-- 
Kevin G. Stewart

• References:
  • [THIN] worst case scenario
    • From: Wilson, Christopher
  • [THIN] Re: worst case scenario
    • From: Greg Reese

Other related posts:

• » [THIN] worst case scenario- Wilson, Christopher
• » [THIN] Re: worst case scenario- Greg Reese
• » [THIN] Re: worst case scenario - Kevin Stewart
• » [THIN] Re: worst case scenario- Steve Snyder
• » [THIN] Re: worst case scenario- Christopher Wilson

1. Home
2. thin
3. Archive
4. 08-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---