Headline
CVE-2020-13998: CVE-2020-13998.txt
** UNSUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA is enabled, allows a remote unauthenticated attacker to ascertain whether a user exists on the server, because the 2FA error page only occurs after a valid username is entered. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Vulnerability Name: User Enumeration in Citrix XenApp 6.5
Registered: CVE-2020-13998
Discoverers:
Scott Goodwin, OSCP
Jill Kamperides
OCD Tech
https://ocd-tech.com
Vendor of Product:
Citrix
Affected Product Code Base:
XenApp - Version 6.5
Attack Type:
Remote
Vulnerability Type:
User Enumeration
Vulnerability Impact:
Information Disclosure
Attack Vector:
To exploit this vulnerability, an attacker can use brute force methods
to determine whether or not a list of users exists on the affected
server by monitoring the HTTP responses returned by the server; the
HTTP responses differ substantially between valid and invalid users.
Description:
** VERSION NOT SUPPORTED WHEN ASSIGNED ** Citrix XenApp 6.5, when 2FA
is enabled, allows a remote unauthenticated attacker to ascertain
whether a user exists on the server, because the 2FA error page only
occurs after a valid username is entered.
Additional Information:
Two-factor authentication must be enabled in Citrix XenApp 6.5 for
this vulnerability to be exploited. When a valid user is entered into
the login page (with an invalid password), the server returns a
two-factor authentication error page. When a nonexistent user is entered,
the page does not change. Users on the server can be enumerated with
complete confidence by monitoring which users trigger the two-factor
authentication error page, and which do not.
This vulnerability was disclosed to Citrix on 04/30/2020. Citrix
responded that XenApp version 6.5 has reached its End of Life (EOL)
and will not be receiving a patch. Users are recommended to upgrade
to resolve this vulnerability.
Reporting Timeline:
04/30/2020: Vulnerability was reported to Citrix
05/22/2020: Citrix deems XenApp 6.5 End of Life
06/09/2020: Vulnerability registered
06/10/2020: Public disclosure
Reference:
https://ocd-tech.com