Citrix Access Gateway Plug-in for Windows ActiveX Control StartEPA() Method HTTP Response Header Parsing Overflows (CTX134303)

high Nessus Plugin ID 62777

Synopsis

The remote Windows host has an ActiveX control that is affected by multiple buffer overflow vulnerabilities.

Description

The Citrix Access Gateway ActiveX control for Citrix Access Gateway Enterprise Edition is installed on the remote Windows host. It is the ActiveX component of the Citrix Access Gateway Plug-in for Windows and provides an SSL-based VPN via a web browser.

The installed version of this control (nsepa.exe) is affected by the following vulnerabilities involving the 'StartEPA()' method that could lead to arbitrary code execution :

- A boundary error exists that can be exploited to cause a heap-based buffer overflow when processing overly long 'CSEC' HTTP response headers. (CVE-2011-2592)

- An integer overflow exists that can be exploited to cause a heap-based buffer overflow when processing specially crafted 'Content-Length' HTTP response headers. (CVE-2011-2593)

Solution

Update to version 9.3-57.5 / 10.0-69.4 or set the kill bit for the control.

See Also

https://www.securityfocus.com/archive/1/523728/30/0/threaded

https://www.securityfocus.com/archive/1/523729/30/0/threaded

https://support.citrix.com/article/CTX134303

Plugin Details

Severity: High

ID: 62777

File Name: citrix_access_gateway_activex_nsepa_startepa.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 10/31/2012

Updated: 6/3/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:citrix:access_gateway

Required KB Items: SMB/Registry/Enumerated

Exploit Ease: No known exploits are available

Patch Publication Date: 8/2/2012

Vulnerability Publication Date: 8/1/2012

Reference Information

CVE: CVE-2011-2592, CVE-2011-2593

BID: 54754

IAVB: 2012-B-0077-S

Secunia: 45299