CVE-2020-13998: CVE-2020-13998.txt

Vulnerability Name: User Enumeration in Citrix XenApp 6.5

Registered: CVE-2020-13998

Discoverers:

Scott Goodwin, OSCP

Jill Kamperides

OCD Tech

https://ocd-tech.com

Vendor of Product:

Citrix

Affected Product Code Base:

XenApp - Version 6.5

Attack Type:

Remote

Vulnerability Type:

User Enumeration

Vulnerability Impact:

Information Disclosure

Attack Vector:

To exploit this vulnerability, an attacker can use brute force methods

to determine whether or not a list of users exists on the affected

server by monitoring the HTTP responses returned by the server; the

HTTP responses differ substantially between valid and invalid users.

Description:

** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA

is enabled, allows a remote unauthenticated attacker to ascertain

whether a user exists on the server, because the 2FA error page only

occurs after a valid username is entered.

Additional Information:

Two-factor authentication must be enabled in Citrix XenApp 6.5 for

this vulnerability to be exploited. When a valid user is entered into

the login page (with an invalid password), the server returns a

two-factor authentication error page. When a nonexistent user is entered,

the page does not change. Users on the server can be enumerated with

complete confidence by monitoring which users trigger the two-factor

authentication error page, and which do not.

This vulnerability was disclosed to Citrix on 04/30/2020. Citrix

responded that XenApp version 6.5 has reached its End of Life (EOL)

and will not be receiving a patch. Users are recommended to upgrade

to resolve this vulnerability.

Reporting Timeline:

04/30/2020: Vulnerability was reported to Citrix

05/22/2020: Citrix deems XenApp 6.5 End of Life

06/09/2020: Vulnerability registered

06/10/2020: Public disclosure

Reference:

https://ocd-tech.com