|
|
|
Question : Problem: Citrix Access Gateway allows security scan bypass
|
|
There appears to be a major security hole in the Citrix Access Gateway 4.2 Pre-Authentication Policy "pre-scan" capability, and I'm hoping someone knows how to close that gaping hole. If the policy is turned on (e.g. to detect viruses, keyloggers, etc. or to block certain types of workstations) and the scan fails, the user is appropriately redirected to a failure page (https://fqdn/__prescan_failed.html). However, if they modify that URL, replacing "failed" with anything else, then they are allowed past the scan and can then login.
This is a big concern on two levels:
(1) if a legitimate user with a keylogger unwittingly install bypasses the scan, someone now has their login credentials
(2) if an unwanted user who should have been blocked bypasses the scan, they can now hack away at the Citrix server login
Citrix has known about this since at least February and hasn't fixed it yet and won't commit to a fix date. (If a vendor like Microsoft had the same lack of response to a far lesser security hole, they would be raked across the coals in the mainstream media and blogs around the world.)
Does anyone have a workaround to prevent someone from continuing past the Citrix scan failure page?
|
Answer : Problem: Citrix Access Gateway allows security scan bypass
|
|
I am no expert in this, and I may be completely wrong, but why wouldn't simple url blocking in the exerterior firewall prevent that?
It might be tricky, to get _prescan_failed to be allowed and _prescan_* to be rejected, but perhaps it's possible?
Perhaps blocking all urls beginning _prescan would still allow the redirect, but prevent them from changing it?
-gsgi
|
|
|
|
|
