Today, I was notified that certain Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway appliances are vulnerable to a SAML authentication hijack through a phishing attack to steal a valid user session.
About the vulnerability
If Citrix ADC or Citrix Gateway appliances are not upgraded to the recommended versions and if the SAML configuration is not configured according to the recommended settings, the Citrix ADC or Citrix Gateway appliances may allow an attacker to hijack a valid user session.
The flaw affects the configuration of the Security Assertion Markup Language (SAML) features. SAML is, an XML-based markup language. often used for exchanging authentication and authorization data between parties with the purpose of offering single sign-on (SSO).
In the case of Citrix ADC and Citrix Gateway appliances, end-users can use SAML to:
- Sign in to enterprise apps that are published behind these appliances
The Citrix ADC and Citrix Gateway appliances are configured as a SAML Service Provider (SP) in this case
- When these apps make requests to authenticate, they may send SAML packets to Citrix ADC and Citrix Gateway appliances.
In this case, the appliances act as a SAML Identity Provider (IdP).
The vulnerability was responsibly disclosed to Citrix by ChenNan of Chaitin Security Research Lab, Wolfgang Ettlinger and Marc Nimmerrichter of Certitude Consulting.
Only Citrix ADC and Citrix Gateway appliances models 4000-WO, 4100-WO, 5000-WO, and 5100-WO are vulnerable.
These devices are only vulnerable when they are configured as a SAML service provider (SP), as a SAML Identity Provider (IdP), or both.
The following supported versions of Citrix ADC and Citrix Gateway are affected:
- Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
- Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
- Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
- Citrix ADC 12.1-FIPS before 12.1-55.238
The vulnerability has already been addressed in Citrix-managed cloud services such as Citrix Gateway Service and Citrix Secure Workspace Access. Customers using Citrix-managed services do not need to take any additional action.
Call to Action
When you use Citrix ADC and/or Citrix Cloud Gateway as a SAML SP, SAML IdP, or both, upgrade your organization’s appliance(s) to at least the following versions:
- Citrix ADC and Citrix Gateway 13.0-82.41
- Citrix ADC and NetScaler Gateway ADC 12.1-62.23
- Citrix ADC and NetScaler Gateway 11.1-65.20
- Citrix ADC 12.1-FIPS 12.1-55.238
Then, configure SAML correctly, as described in the Citrix Application Delivery Controller and Citrix Gateway – SAML Configuration Reference Guide:
- Configure an expression for relayStateRule in the samlAction command.
The expression must contain the list of published domains that end-users connect to before being redirected to the authentication virtual server. You must specify the starting of the domain with ^ along with a forward slash / at the end of the expression.
- In the SAML IdP profile, configure acsURLRule that takes an expression of the list of applicable service provider URLs for this IdP.
This expression depends on the SP being used. If Citrix ADC is configured as SP, the ACS URL will be https://<SP-domain_name>/cgi/samlauth. You must specify the starting of the domain with ^ along with the dollar sign $ at the end of the string.
If the Citrix ADC appliance is partitioned, then ensure that you update the configuration on all the individual partitions, including the default.