Citrix Access Gateway Plug-in for Windows ActiveX Control StartEPA() Method HTTP Response Header Parsing Overflows (CTX134303)

High Nessus Plugin ID 62777

Synopsis

The remote Windows host has an ActiveX control that is affected by multiple buffer overflow vulnerabilities.

Description

The Citrix Access Gateway ActiveX control for Citrix Access Gateway Enterprise Edition is installed on the remote Windows host. It is the ActiveX component of the Citrix Access Gateway Plug-in for Windows and provides an SSL-based VPN via a web browser.

The installed version of this control (nsepa.exe) is affected by the following vulnerabilities involving the 'StartEPA()' method that could lead to arbitrary code execution :

- A boundary error exists that can be exploited to cause a heap-based buffer overflow when processing overly long 'CSEC' HTTP response headers. (CVE-2011-2592)

- An integer overflow exists that can be exploited to cause a heap-based buffer overflow when processing specially crafted 'Content-Length' HTTP response headers. (CVE-2011-2593)

Solution

Update to version 9.3-57.5 / 10.0-69.4 or set the kill bit for the control.

See Also

http://www.securityfocus.com/archive/1/523728/30/0/threaded

http://www.securityfocus.com/archive/1/523729/30/0/threaded

http://support.citrix.com/article/CTX134303

Plugin Details

Severity: High

ID: 62777

File Name: citrix_access_gateway_activex_nsepa_startepa.nasl

Version: $Revision: 1.4 $

Type: local

Family: Windows

Published: 2012/10/31

Modified: 2013/05/23

Dependencies: 13855

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:citrix:access_gateway

Required KB Items: SMB/Registry/Enumerated

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2012/08/02

Vulnerability Publication Date: 2012/08/01

Reference Information

CVE: CVE-2011-2592, CVE-2011-2593

BID: 54754

OSVDB: 84433

Secunia: 45299

IAVB: 2012-B-0077