HTTP Header Injection in Citrix ADC and Citrix Gateway (CVE-2020-8300, CVE-2021-22927)
Citrix ADC, an application delivery controller, as well as Citrix Gateway, a workspace access solution were susceptible to a header injection attack if configured as SAML Service Provider (SP) or SAML Identity Provider (IdP).
Certitude responsibly disclosed this vulnerability to Citrix in December 2020. A patch release addresses this issue. Note that besides applying the patch, additional configuration steps are required to mitigate this vulnerability:
Proof of Concept
An unaltered authentication sequence using SAML works as follows:
- The user accesses a protected page (e.g. https://example.com/protected).
- The appliance redirects the user to the SAML Identity Provider (IdP). A parameter SAMLRequest as well as a parameter RelayState are passed to the IdP.
- The user authenticates on the IdP. Typically, if the user is already authenticated, no authentication is required (single sign on).
- The IdP redirects the user back to application and passes a SAMLResponse as well as the RelayState parameter received from the appliance.
- The appliance verifies the SAMLResponse and redirects the user back to the protected page (https://example.com/protected).
The protected page the user tries to access is recorded in the RelayState parameter. The content of an example RelayState value, when base64 decoded is as follows (
\0 represents a NUL-byte):
During step 5 of the authentication process, the appliance decodes the RelayState parameter and passes the contained URL to the Location-header in the redirecting HTTP response. As there are no authenticity/integrity checks on the RelayState parameter, an attacker can arbitrarily modify this URL. Due to lack of proper encoding, newline characters (CR,LF) contained in the URL allow for HTTP header injection.
An attacker could employ the following scenario:
- The attacker accesses the protected page to retrieve a valid SAMLRequest.
- The attacker lures a victim, that is logged in on the IdP, on an attacker-controlled page.
- The page redirects the victim to the IdP using an HTML form:
<form action="https://idp.example.com/sso" method="POST"> <input type="hidden" name="SAMLRequest" value="<valid SAML Request from step #1>" /> <input type="hidden" name="RelayState" value="<manipulated RelayState>" /> <input type="submit" value="Submit request" /> </form>
- After checking that the user is already authenticated, the IdP redirects the browser back to the appliance.
- The appliance issues an HTTP redirect containing the manipulated URL in the Location-header.
An attacker could e.g. choose to encode the following URL into the manipulated RelayState parameter (
\r represents a CR-byte,
\n represents a LF-byte):
The appliance would e.g. issue the following HTTP response:
HTTP/1.1 302 Object Moved Location: Content-Type: text/html <script>alert(1)<script>
This would cause e.g. Google Chrome to execute the attacker-provided script. Other approaches may be required for other browsers.
Citrix issued advisories urging affected organizations to upgrade to a version unaffected by this vulnerability. The issue was resolved with two separate patches, having separate CVE identifiers:
Moreover, additional configuration steps are required to mitigate this issue: