This is a fast publish article, more detail will follow.
We have discovered a potential security issue or undesired functionality with the new application release from Citrix titled Citrix VPN.
In situations where customers have netscaler gateways configured for client access from iOS devices (think integration with citrix receiver app on mobile devices) configured users can now download this application, point the application at your internet facing Netscaler Gateway and Achieve a VPN connection directly to your internal network providing their credentials.
Worryingly, where the Netscaler may be on the internal network, or not be restricted with access lists or firewall rules, the users will achieve internal connectivity via the IP Address of the Netscaler gateway and impersonate the gateway to browse the network.
Am I affected:
If you configured the Netscaler Gateway via the Wizard, used the XenMobile Access Wizard or have a configuration as above, your users will be able to utilise the VPN to achieve internal network connectivity. The best way to find out is to test.
The work around may break current functionality whereby your environment may require the “Windows / MAC OS X” plugin type to function correctly. It is highly advisable that you speak with your Citrix partner / integrator if you are concerned about this issue or wish to make the change.
Work Around 1:
To work around this issue and to block any connections while we engage with Citrix, consider changing the Plugin Type to “Java”. This will block VPN connections.
Work Around 2:
Bind the following statement, with action of “drop” to a global responder policy:
more info here:
Credits of find:
- Andrew Morgan – Initial functionality discovery.
- Bobby Maher – Confirmation of functionality & session type work around.
- Rick Roetenberg – Confirmation of functionality & responder work around.