Advisory: Citrix Gateway Open Redirect and XSS (CVE-2023-24488)

Summary

URL query parameters are not adequately sanitised before they are placed into an HTTP <span class="code_single-line">Location</span> header. An attacker can exploit this to create a link which, when clicked, redirects the victim to an arbitrary location. Alternatively the attacker can inject newline characters into the <span class="code_single-line">Location</span> header, to prematurely end the HTTP headers and inject an XSS payload into the response body.

Impact

An attacker can craft malicious links which, when clicked, either redirect the victim to an attacker controlled website or execute JavaScript in the victim’s browser.

Affected Software

The following versions are affected by this vulnerability:

• Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
• Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
• Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
• Citrix ADC 12.1-FIPS before 12.1-55.296
• Citrix ADC 12.1-NDcPP before 12.1-55.296

Product Description

Citrix Gateway is a network appliance providing multiple functions including remote access VPN services.

Solution

Upgrade to the latest version of Citrix Gateway.

Citrix’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Dylan Pindur - Assetnote Security Research Team