| Title | Citrix Linux client leaks credentials to logs |
|---|
| Description | When connecting to a remote Citrix session via a web browser, the Citrix client software for Linux emits the temporary session credentials, which end up in the client device's system log.
This has been reported to Citrix, who do not consider this to be a vulnerability in the product.
When connecting to a Citrix session via a web browser such as Firefox on Linux, typically you access a web application known as Citrix Storefront. This provides clickable icons for the applications and remote desktop sessions available to you.
When you click on one of these, your browser is instructed to open a URL of the form receiver://..... which is handled using /opt/Citrix/ICAClient/util/ctxwebhelper. ctxwebhelper parses the URL and uses the decoded information to make a HTTP GET request to the remote server for an 'ica' file, which contains the connection details necessary to launch the Citrix client software, /opt/Citrix/ICAClient/wfica.
The ICA file contains details such as the server hostname and temporary session credentials needed to authenticate the session.
When making the GET request to retrieve the ICA file, ctxwebhelper echos the full HTTP response (headers & body) to standard output, which ends up feeding into journald and then into the system log files.
This can be demonstrated by connecting to a Citrix session and running:
grep receiver\\.desktop.*LogonTicket= /var/log/syslog
which will produce output such as
2023-01-12T11:15:46.816466+00:00 myhostname receiver.desktop[9999]: LogonTicket=1234567890ABCDEF1234567890ABCD
|
|---|
| Source | ⚠️ https://github.com/rhowe/disclosures/tree/main/citrix-linux-client-cred-leak |
|---|
| User | rhowe (UID 38998) |
|---|
| Submission | 01/16/2023 11:26 (3 years ago) |
|---|
| Moderation | 01/16/2023 13:30 (2 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 218413 [Citrix Workspace App 2212 on Linux ICA Session ctxwebhelper log file] |
|---|
| Points | 20 |
|---|