CVE-2015-2682
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
6.0
Description
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Citrix Command Center - Credential Disclosure
Abstract
It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.
Tested version
This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.
Fix
Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html
Citrix assigned BUG0493933 to this issue.
Introduction
Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.
Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. No access control is enforced on this folder, an unauthenticated attacker can download any configuration file stored in this folder.
Details
Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.
https://<target>:8443/conf/securitydbData.xml
This files contains encoded passwords, for example:
<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>
These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| citrix | command_center | 5.1 | |
| citrix | command_center | 5.2 | |
References
- http://packetstormsecurity.com/files/130928/Citrix-Command-Center-Configuration-Disclosure.html
- http://seclists.org/fulldisclosure/2015/Mar/126
- http://support.citrix.com/article/CTX200584
- http://www.securityfocus.com/bid/73309
- http://www.securitytracker.com/id/1031993
- https://www.exploit-db.com/exploits/36441/
- https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html
- http://packetstormsecurity.com/files/130928/Citrix-Command-Center-Configuration-Disclosure.html
- http://seclists.org/fulldisclosure/2015/Mar/126
- http://support.citrix.com/article/CTX200584
- http://www.securityfocus.com/bid/73309
- http://www.securitytracker.com/id/1031993
- https://www.exploit-db.com/exploits/36441/
- https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html
CWEs
CWE-17
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.