Taking care when publishing Citrix services inside the corporate network or to the Internet

Published: 2014-01-21
Last Updated: 2014-01-21 23:17:49 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

Citrix has some interesting products like XenApp, which allow people to access corporate application from tablets, Windows Terminals and also Windows servers and PC. Depending on how are you using them, you might be creating vulnerabilities to your information assets.

  • If you are using it inside the corporate network, it will use Pass-Through authentication with your windows domain authentication protocol. If you already have kerberos, you have nothing to worry about. You should not have any (NT)LM hash circulating through your network.
  • If you are using Citrix on the Internet, it is published in a IIS Web Server. Implementations can be done using username/password authentication or username/password/One Time Password. Unfortunately, many companies still believe that having an extra authentication factor is too expensive and difficult to handle, including the misconception of "I will never have my identity stealed".

Let's talk about published applications on Citrix with no extra authentication factor in place, which corresponds to the majority of cases. Since people tend to use mobile devices these days and also when they are big bosses in the company they want to handle their information in the most easy way, most of them requires IT to publish the ERP payments module, because they can authorize them from any place in any situation that allows them to have two minutes to perform the operation.

If the company happens to handle lots and lots of money, attackers might talk to any inside employee willing to have some extra money. First thing to do is to determine if the Citrix Farm linked to the Citrix Access Gateway where the user is being authenticated publishes the ERP Payment Application. How can you you do that? you can use the citrix-enum-apps nmap script. The syntax follows:

nmap -sU --script=citrix-enum-apps -p 1604 citrix-server-ip

If the attacker gets an output like the following, the company could be definitely in big problems:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-21 17:38 Hora est. Pacífico, Sudamérica
Nmap scan report for hackme-server (
Host is up (0.0080s latency).
rDNS record for hackme-server.vulnerable-implementation.org
1604/udp open  unknown
|   OW ERP8 Payroll
|   OW ERP8 Provider payments
|   Internet Explorer
|   AD Users and Computers

Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds

Bingo! Provider payments is being published. All we need to do is perform good-old-man-in-the-middle to the IIS Server and we will have a username/password to generate random payments.

How can you remediate this situation?

  • Using username/password authentication it's definitely a BAD idea. Extra authentication factors needs to be placed and specially for users with critical privileges.
  • Configure your mobile clients to accept the specific server certificates and instruct them to interrupt any connection that shows a certificate error.
  • Ensure that Citrix Access Gateway server is the only one allowed to contact to the Citrix Server via UDP port 1604 and also that Citrix Farm is not accessible to the Internet or the corporate Network.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

5 comment(s)


You wrote:
"I will never have my identity stealed".
s/stealed/stolen/ [G,D,RLH]
Then again, he *did* say it was a misconception...
I'll speak as a Citrix Architect and say if you are exposing the legacy UDP 1604 to the internet you have are asking to be owned. This has be a depreciated method of enumerating applications for at least 5 years. I would consider this a non issue, except for the quantity of unsupportable legacy crap I see enterprises still calling mission critical. If you are doing something crazy like putting Citrix servers (or any windows box for that matter) on the internet with a public IP or unfirewalled 1-1 NAT you will get what you deserve. If you have business critical data on a Metaframe 3.0 box you will also see fail. As an IT admin that has been placed in the position of "supporting" this kind of stuff, I know in my heart that the business unit that will not fund the upgrade is responsible when this falls down. The reality is that IT will be faulted for not securing it. Ramblings of the Citrix Goon...
It does appear that the usage of port 1604 has been deprecated from Citrix, but when installing the latest version of XenApp a firewall port rule is added by the installer which opens inbound UDP port 1604. So whether or not Citrix uses it, the installer opens it, for everyone. The concern that is raised in the post is that internal staff may be recruited to assist in the process. Now whether you expose your XA site to the internet or not doesn't matter. It seems prudent to first try disabling the port altogether, if that is unacceptable restricting it to specific inbound IPs would be a good second approach.
Xendesktop 7.1 has a new architecture and if the installer is still opening 1604 on the DDCs then I'll throw Citrix a ticket ASAP. There is no service behind it in any case so the risk is low. In 6.5 you have session hosts (that do not run any enumeration services) and brokers which can do enumeration. Depending on your needs, you can build a wall around your brokers and only let the session hosts and your front ends speak to them. I am not near a 6.5 installation but the UDP support ended in 5.0 in my recollection. If you are running 6.0 we will have a moment of silence for your pain...

Diary Archives