Global Secure Systems Exposes Vulnerabilities in Citrix Implementations

Six Months on Since Vulnerabilities Were Exposed and Nothing has Changed

(13.08.08) - Ongoing testing by leading Global Secure Systems (GSS), proves serious issues can leave organisations vulnerable to a breach of their internal systems and data when deploying Citrix incorrectly. It highlights that whilst this is not an issue with Citrix itself, nor the applications it presents, it is the potentially devastating result of poor implementation of Citrix. Too many people install Citrix without comprehensive knowledge of the design and management of the Citrix environment, and careful consideration of how to mitigate risk.

Ongoing security assessments by GSS on Citrix environments have shown the following statistics:

· 100 per cent of Citrix deployments tested have been vulnerable to arbitrary code execution

· More than 80 per cent of deployments exposed commercially sensitive data

· Many breach Data Protection Act requirements

· Standard security procedures were not applied to most Citrix deployments.

In 2007, the fastest breach took only 15 seconds after logging on to the service. In recent weeks this has been reduced to under 10 seconds. Even in the most locked-down environment GSS ever encountered, five high-risk vulnerabilities were discovered! These were the result of small errors made in configuration – typically many more such errors are found, any one of which could lead to the network being compromised. Most recently in a very well hardened implementation, where there were very few issues initially, GSS were able to write and run a Java port scanning tool, leading to the discovery of the entire network and DR configuration and admin passwords.

GSS, through its merger with Peapod, has been carrying out security reviews as bespoke consulting assignments for more than five years, in environments ranging from Citrix for Windows NT 4.0 to the latest Citrix nFuse deployments on Windows 2003 Server. The different attack methods developed during this period have been distilled into the company’s security assessment: Citrix Environment Security Assessment (CESA). CESA aims to identify the risk of anyone with legitimate access (or a compromised user account) gaining access through Citrix to system files and sensitive data belonging to colleagues, managers and directors. The ease with which this could be accomplished with the right knowledge, and the type of information that could be stolen or corrupted, is also assessed.

Robin Hollington, Director of Consulting for GSS said, "Imagine how your board would feel if they discovered that a junior clerk had subverted controls to gain access to board members’ restricted network drives, had the freedom to browse through payroll, trading and research data, and the facility to export this and other sensitive information such as business plans and customer databases without being detected. In a Financial Services company, we found a spreadsheet containing the domain admin passwords for each and every server, and the quotes, methodologies, terms and reports from a number of competitors. Our assessments prove that this information can be readily accessed with very little knowledge and easily leaked out of the business."

Although hardening guides are useful, simply working from these is not sufficient to secure the Citrix/Windows environment; even a single, small, overlooked opening can be exploited to give high-risk access. Although Citrix update their guides regularly, GSS still see problems and can only assume they are not being adequately followed. Furthermore, applying additional mitigation measures merely addresses the symptoms, not the causes, and can often target expenditure in the wrong areas. Testing is therefore essential to identify the real issues and select the appropriate controls.

Each CESA is unique to a given organisation, according to compliance requirements, risk appetite and experience in security architecture and administration. From the assessment results, clients gain an independent, balanced and pragmatic view of risks arising from their implementation of Citrix and the threats affecting them. The report provides a high-level executive summary, with a detailed breakdown of technical findings and quantified vulnerabilities, along with practical recommendations and guidance on appropriate countermeasures to help avoid compromise.

Given the potential for misuse, GSS will not publish exact details of the CESA test methods undertaken, but the company is concerned that some of the techniques involved are now being openly discussed in the hacker community. Even though there is not a flaw in Citrix itself, but in the implementation of it, GSS can confirm they have reported these findings to Citrix. (Global Secure Systems: ra)