Back to list
iDefense Security Advisory 07.14.11: Citrix Access Gateway ActiveX Stack Buffer Overflow Vulnerability
Jul 14 2011 10:28PM
labs-no-reply (labs-no-reply ivcp vrsn com)
iDefense Security Advisory 07.14.11
Jul 14, 2011
Citrix's Access Gateway solution provides remote access to customers via
the Web browser. This is accomplished through the use of an ActiveX
control that enables an SSL based VPN. The control itself is provided by
the server upon connecting. Access Gateway functionality is provided by
several models of Access Gateway Appliances. For more information, visit
the URL referenced below.
Remote exploitation of a buffer overflow in Citrix Systems, Inc.'s
Access Gateway Client ActiveX control allows remote attackers to execute
The vulnerability exists within the ActiveX control with the following
File: %WINDIR%\Downloaded Program Files\nsepa.ocx
When processing HTTP header data provided by the Access Gateway server,
the client ActiveX control copies a variable length string into a
fixed-size stack buffer. Due to insufficient input validation, a
trivially exploitable stack-based buffer overflow can occur.
Exploitation allows attackers to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, a
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
Additionally, a targeted user must have this control already installed
or must accept several warning prompts at the time that the attack is
taking place. This control is not on the white list included with
Internet Explorer 7.0. More information can be found at the following
This particular control also has an additional prompt inquiring whether
or not the user wishes to allow an "Endpoint Analysis" scan. The options
presented are "Yes", "No", and "Always Allow". Clicking "Yes" or "Always
Allow" can lead to exploitation. Clicking "No" can not result in
exploitation. Also, clicking "Always Allow" will create a registry key
enabling automatic scanning for all future uses of the control.
The following versions of Citrix Access Gateway Enterprise Edition are
<ul> <li>Version 8.1 prior to 8.1-67.7 </li> <li>Version 9.0 prior to
9.0-70.5 </li> <li>Version 9.1 prior to 9.1-96.4 </li> </ul>
Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.
VI. VENDOR RESPONSE
Citrix has released a patch which addresses this issue. Information
about downloadable vendor updates can be found by clicking on the URLs
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
07/01/2009 Initial Vendor Notification
07/02/2009 Initial Vendor Reply
07/14/2011 Coordinated Public Disclosure
This vulnerability was reported to iDefense by Michal Trojnara.
Get paid for vulnerability research
Free tools, research and upcoming events
X. LEGAL NOTICES
Copyright Â© 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice (at) idefense (dot) com [email concealed] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
[ reply ]
Copyright 2010, SecurityFocus