| Title | Citrix Linux client insecure temporary ICA file creation |
|---|
| Description | The Citrix Linux client writes session configuration to a world-readable file in /tmp. This file contains session connection details, including credentials.
When connecting to a Citrix session via a web browser such as Firefox on Linux, typically you access a web application known as Citrix Storefront. This provides clickable icons for the applications and remote desktop sessions available to you.
When you click on one of these, your browser is instructed to open a URL of the form receiver://..... which is handled using /opt/Citrix/ICAClient/util/ctxwebhelper. ctxwebhelper parses the URL and uses the decoded information to make a HTTP GET request to the remote server for an 'ica' file, which contains the connection details necessary to launch the Citrix client software, /opt/Citrix/ICAClient/wfica.
The ICA file contains details such as the server hostname and temporary session credentials needed to authenticate the session.
ctxwebhelper writes the retrieved ICA file to /tmp/launch.ica. This file is written with insecure file permissions allowing it to be read by any user of the client device.
Any user of the client device can therefore obtain the session credentials by waiting for this file to be created and reading it. Once this is done, it is possible to initiate a session as the targeted user. |
|---|
| Source | ⚠️ https://support.citrix.com/article/CTX477618 |
|---|
| User | rhowe (UID 38998) |
|---|
| Submission | 03/11/2023 12:11 (3 years ago) |
|---|
| Moderation | 03/11/2023 13:02 (51 minutes later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 222850 [Citrix Workspace app 2212 on Linux ICA File access control] |
|---|
| Points | 20 |
|---|