| عنوان | Citrix Linux client leaks credentials to logs |
|---|
| الوصف | When connecting to a remote Citrix session via a web browser, the Citrix client software for Linux emits the temporary session credentials, which end up in the client device's system log.
This has been reported to Citrix, who do not consider this to be a vulnerability in the product.
When connecting to a Citrix session via a web browser such as Firefox on Linux, typically you access a web application known as Citrix Storefront. This provides clickable icons for the applications and remote desktop sessions available to you.
When you click on one of these, your browser is instructed to open a URL of the form receiver://..... which is handled using /opt/Citrix/ICAClient/util/ctxwebhelper. ctxwebhelper parses the URL and uses the decoded information to make a HTTP GET request to the remote server for an 'ica' file, which contains the connection details necessary to launch the Citrix client software, /opt/Citrix/ICAClient/wfica.
The ICA file contains details such as the server hostname and temporary session credentials needed to authenticate the session.
When making the GET request to retrieve the ICA file, ctxwebhelper echos the full HTTP response (headers & body) to standard output, which ends up feeding into journald and then into the system log files.
This can be demonstrated by connecting to a Citrix session and running:
grep receiver\\.desktop.*LogonTicket= /var/log/syslog
which will produce output such as
2023-01-12T11:15:46.816466+00:00 myhostname receiver.desktop[9999]: LogonTicket=1234567890ABCDEF1234567890ABCD
|
|---|
| المصدر | ⚠️ https://github.com/rhowe/disclosures/tree/main/citrix-linux-client-cred-leak |
|---|
| المستخدم | rhowe (UID 38998) |
|---|
| ارسال | 16/01/2023 11:26 AM (3 سنوات منذ) |
|---|
| الاعتدال | 16/01/2023 01:30 PM (2 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 218413 [Citrix Workspace App 2212 على Linux ICA Session ctxwebhelper الكشف عن المعلومات] |
|---|
| النقاط | 20 |
|---|