Vulnerabilities > CVE-2013-6943 - Code Injection vulnerability in Citrix Netscaler Application Delivery Controller Firmware

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
citrix
CWE-94
nessus
NVD
Published: 2014-03-11
Updated: 2014-03-11

Summary

Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to conduct an LDAP injection attack via vectors related to SSH and Web management usernames.

Vulnerable Configurations

Part Description Count
OS
Citrix
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL familyMisc.
NASL idCITRIX_NETSCALER_ADC_MULTIPLE.NASL
descriptionThe remote Citrix NetScaler version is affected by multiple vulnerabilities : - A denial of service vulnerability in the VM Virtual Machine Daemon. Please note that this particular vulnerability does not apply to Citrix NetScaler 10.1. (CVE-2013-6938) - A denial of service vulnerability in the Application Delivery Controller RADIUS authentication. (CVE-2013-6939) - An authenticated denial of service in the SNMP daemon. (CVE-2012-2142) - An unspecified authentication disclosure in the Application Delivery Controller. (CVE-2013-6940) - An unspecified shell breakout in the Application Delivery Controller firmware. (CVE-2013-6941) - An unspecified LDAP username injection vulnerability in the Application Delivery Controller. (CVE-2013-6943) - A cross-site scripting vulnerability in the AAA TM vServer user interface. (CVE-2013-6944)
last seen2020-06-01
modified2020-06-02
plugin id73205
published2014-03-26
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/73205
titleCitrix NetScaler Application Delivery Controller Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73205);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id(
    "CVE-2012-2141",
    "CVE-2013-6938",
    "CVE-2013-6939",
    "CVE-2013-6940",
    "CVE-2013-6941",
    "CVE-2013-6942",
    "CVE-2013-6943",
    "CVE-2013-6944"
  );
  script_bugtraq_id(
    53255,
    66008,
    66010,
    66013,
    66014,
    66018,
    66020,
    66043
  );

  script_name(english:"Citrix NetScaler Application Delivery Controller Multiple Vulnerabilities");
  script_summary(english:"Checks Citrix NetScaler version");

  script_set_attribute(attribute:"synopsis", value:"The remote device is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Citrix NetScaler version is affected by multiple
vulnerabilities :

  - A denial of service vulnerability in the VM Virtual
    Machine Daemon. Please note that this particular
    vulnerability does not apply to Citrix NetScaler 10.1.
    (CVE-2013-6938)

  - A denial of service vulnerability in the Application
    Delivery Controller RADIUS authentication.
    (CVE-2013-6939)

  - An authenticated denial of service in the SNMP
    daemon. (CVE-2012-2142)

  - An unspecified authentication disclosure in the
    Application Delivery Controller. (CVE-2013-6940)

  - An unspecified shell breakout in the Application
    Delivery Controller firmware. (CVE-2013-6941)

  - An unspecified LDAP username injection vulnerability
    in the Application Delivery Controller.
    (CVE-2013-6943)

  - A cross-site scripting vulnerability in the AAA TM
    vServer user interface. (CVE-2013-6944)");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX139049");
  script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX140113");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Citrix NetScaler 10.1-118.7 / 10.0-77.5 / 9.3-64.4 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/03/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:citrix:netscaler_application_delivery_controller_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_dependencies("citrix_netscaler_detect.nbin");
  script_require_keys("Host/NetScaler/Detected");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

app_name = "Citrix NetScaler";
version = get_kb_item_or_exit("Host/NetScaler/Version");
build = get_kb_item("Host/NetScaler/Build");

if (!build) exit(0, "The build number of " + app_name + " " + version + " could not be determined.");

display_version = version + "-" + build;
version = version + "." + build;

enhanced = get_kb_item("Host/NetScaler/Enhanced");
if (enhanced) audit(AUDIT_INST_VER_NOT_VULN, app_name, display_version + ".e");

if (version =~ "^9\.3\.")
{
  # 9.3
  fixed_version = "9.3.64.4";
}
else if (version =~ "^10\.0\.")
{
  # 10.0
  fixed_version = "10.0.77.5";
}
else if (version =~ "^10\.1\.")
{
  # 10.1
  fixed_version = "10.1.118.7";
}
else
{
  audit(AUDIT_INST_VER_NOT_VULN, app_name, display_version);
}

if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
  set_kb_item(name:'www/0/XSS', value:TRUE);
  set_kb_item(name:"www/0/XSRF", value:TRUE);

  if (report_verbosity > 0)
  {
    display_fixed = ereg_replace(string:fixed_version, pattern:"^([0-9]+\.[0-9]+)\.(.*)$", replace:"\1-\2");
    report =
      '\n  Installed version : ' + display_version +
      '\n  Fixed version     : ' + display_fixed +
      '\n';
    security_hole(extra:report, port:0);
  }
  else security_hole(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, display_version);

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 66043 CVE(CAN) ID: CVE-2013-6943 Citrix NetScaler是一款网络流量管理产品。 Citrix NetScaler SDX 10.0及9.3版本的应用支付控制器在实现上存在安全漏洞,攻击者可利用此漏洞造成SSH和Web管理用户名内的LDAP注入。 0 Citrix NetScaler SDX 9.x Citrix NetScaler SDX 10.x 厂商补丁: Citrix ------ Citrix已经为此发布了一个安全公告(CTX139049)以及相应补丁: CTX139049:Citrix NetScaler Application Delivery Controller Multiple Security Vulnerabilities 链接:http://support.citrix.com/article/CTX139049
idSSV:61747
last seen2017-11-19
modified2014-03-12
published2014-03-12
reporterRoot
titleCitrix NetScaler应用交付控制器跨站LDAP注入漏洞(CVE-2013-6943)

References