Citrix Access Gateway Plug-in for Windows ActiveX Control StartEPA() Method HTTP Response Header Parsing Overflows (CTX134303)
High Nessus Plugin ID 62777
SynopsisThe remote Windows host has an ActiveX control that is affected by multiple buffer overflow vulnerabilities.
DescriptionThe Citrix Access Gateway ActiveX control for Citrix Access Gateway Enterprise Edition is installed on the remote Windows host. It is the ActiveX component of the Citrix Access Gateway Plug-in for Windows and provides an SSL-based VPN via a web browser.
The installed version of this control (nsepa.exe) is affected by the following vulnerabilities involving the 'StartEPA()' method that could lead to arbitrary code execution :
- A boundary error exists that can be exploited to cause a heap-based buffer overflow when processing overly long 'CSEC' HTTP response headers. (CVE-2011-2592)
- An integer overflow exists that can be exploited to cause a heap-based buffer overflow when processing specially crafted 'Content-Length' HTTP response headers. (CVE-2011-2593)
SolutionUpdate to version 9.3-57.5 / 10.0-69.4 or set the kill bit for the control.