Kategorie: Security

How to Enable SSL on Cloud Connectors to Secure XML Traffic v0.3

Updated verion of my set-CTXCloudConnectorToSecureXMLTraffic.ps1 script due to name and location changes of the Citrix Cloud Connector installation.

<#
    set-CTXCloudConnectorToSecureXMLTraffic_v03.ps1

    v0.3 - New Broker Service Name and Path -> Citrix Remote Broker Provider - x64 - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    v0.2 - Check for Certificates
    v0.1 - Initial Version

    https://support.citrix.com/article/CTX221671
    
    netsh http add sslcert ipport=0.0.0.0:443
    certhash=PASTE_CERT_HASH_HERE_FROM_NOTEPAD
    appid={PASTE_XD_GUID_HERE_BETWEEN{}_FROM_NOTEPAD

    Browse to HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\
    Right-click DesktopServer, select New > DWORD (32-bit) Value
    Name: XmlServicesEnableNonSsl
    Value Data: 0

#>


# To obtain the Citrix Broker Service GUID on the Cloud Connector, in the Registry Editor, select Find, and search for Citrix Remote Broker Provider - x64. 
# The search should return an entry in the following registry location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
$keys = Get-Item -Path Registry::"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*"

foreach($key in $keys){
    if((get-itemproperty $key[0].PsPath).DisplayName -eq 'Citrix Remote Broker Provider - x64'){
        $CtxBrokerServiceValues = ($key.Name).Substring(71,38)        
    }
}


# Check for Certificates
$certs = (Get-ChildItem Cert:\LocalMachine\My\)
$selectedCert = $null

$certNames = $certs | ForEach-Object { $_.Subject }
write-host "******* Installed Cert Subjects **********" -ForegroundColor Green
$i = 0
foreach($certname in $certnames){
    $i++
    write-host "$i - $certname"
}
#$certNames
write-host ""

[int]$selectedCertName = Read-Host "Enter the number of the certificate you want to select"

if ($selectedCertName -le $i -AND $selectedCertName -gt 0) {
    #$selectedCert = $certs | Where-Object { $_.Subject -eq $selectedCertName }
    $selectedCert = $certs[$selectedCertName-1]
    $selectedCert
}
else {
    Write-Host "Certificate not found." -ForegroundColor Yellow
    $selectedCert = $null
    break # exit if no certificate is selected
}


# Get CC Computer Certificate Thumbprint
#$certhash = (Get-ChildItem Cert:\LocalMachine\My\).Thumbprint
$certhash = $selectedCert.Thumbprint


# Note: The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. 
# The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
#netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$appID
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$CtxBrokerServiceValues

# Allow only secure traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

How to Enable SSL on Cloud Connectors to Secure XML Traffic v0.2

A little update to my set-CTXCloudConnectorToSecureXMLTraffic.ps1 script.

Now it lists all available certificates on the machine and you have to select the one you want to use.

<#
    set-CTXCloudConnectorToSecureXMLTraffic.ps1

    v0.2 - Check for Certificates
    v0.1 - Initial Version

    https://support.citrix.com/article/CTX221671
    
    netsh http add sslcert ipport=0.0.0.0:443
    certhash=PASTE_CERT_HASH_HERE_FROM_NOTEPAD
    appid={PASTE_XD_GUID_HERE_BETWEEN{}_FROM_NOTEPAD

    Browse to HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\
    Right-click DesktopServer, select New > DWORD (32-bit) Value
    Name: XmlServicesEnableNonSsl
    Value Data: 0

#>

# Find Citrix Broker Service GUID on the Cloud Connector
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
$keys = Get-Item "HKCR:\Installer\Products\*"
Remove-PSDrive -Name "HKCR"

foreach($key in $keys){
    if((get-itemproperty $key[0].PsPath).Productname -eq 'Citrix Broker Service'){
        $CtxBrokerServiceValues = Get-ItemProperty $key.PSPath
    }
}

# Format the String of the Service GUID
# It is important to mention that the entry in the registry is presented without the dashes for the GUID. 
# Please make that the dashes are added in the following format: 8-4-4-4-12
$appID = '{' + ($CtxBrokerServiceValues.PSChildName) + '}'
$appID = $appID.Insert(9,'-')
$appID = $appID.Insert(14,'-')
$appID = $appID.Insert(19,'-')
$appID = $appID.Insert(24,'-')


# Check for Certificates
$certs = (Get-ChildItem Cert:\LocalMachine\My\)
$selectedCert = $null

$certNames = $certs | ForEach-Object { $_.Subject }
write-host "******* Installed Cert Subjects **********" -ForegroundColor Green
$i = 0
foreach($certname in $certnames){
    $i++
    write-host "$i - $certname"
}
#$certNames
write-host ""

[int]$selectedCertName = Read-Host "Enter the number of the certificate you want to select"

if ($selectedCertName -le $i -AND $selectedCertName -gt 0) {
    #$selectedCert = $certs | Where-Object { $_.Subject -eq $selectedCertName }
    $selectedCert = $certs[$selectedCertName-1]
    $selectedCert
}
else {
    Write-Host "Certificate not found." -ForegroundColor Yellow
    $selectedCert = $null
    break # exit if no certificate is selected
}


# Get CC Computer Certificate Thumbprint
#$certhash = (Get-ChildItem Cert:\LocalMachine\My\).Thumbprint
$certhash = $selectedCert.Thumbprint


# Note: The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. 
# The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$appID


# Allow only secure traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

How to Enable SSL on Cloud Connectors to Secure XML Traffic

I will not explain how to do it, this is explained in the CTX221671.

But because I’m a bit lazy, I wrote a quick and dirty script to get the AppID of the Service (Citrix Broker Service GUID) and the Cert-Hash of the computer certificate of the Citrix Cloud Connector and set it via netsh.

This is version 0.1!
No error handling etc.

<#
    set-CTXCloudConnectorToSecureXMLTraffic.ps1

    v0.1 - Initial Version

    https://support.citrix.com/article/CTX221671
    
    netsh http add sslcert ipport=0.0.0.0:443
    certhash=PASTE_CERT_HASH_HERE_FROM_NOTEPAD
    appid={PASTE_XD_GUID_HERE_BETWEEN{}_FROM_NOTEPAD

    Browse to HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\
    Right-click DesktopServer, select New > DWORD (32-bit) Value
    Name: XmlServicesEnableNonSsl
    Value Data: 0

#>

# Find Citrix Broker Service GUID on the Cloud Connector
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null
$keys = Get-Item "HKCR:\Installer\Products\*"

foreach($key in $keys){
    if((get-itemproperty $key[0].PsPath).Productname -eq 'Citrix Broker Service'){
        $CtxBrokerServiceValues = Get-ItemProperty $key.PSPath
    }
}

# Format the String of the Service GUID
# It is important to mention that the entry in the registry is presented without the dashes for the GUID. 
# Please make that the dashes are added in the following format: 8-4-4-4-12
$appID = '{' + ($CtxBrokerServiceValues.PSChildName) + '}'
$appID = $appID.Insert(9,'-')
$appID = $appID.Insert(14,'-')
$appID = $appID.Insert(19,'-')
$appID = $appID.Insert(24,'-')


# Get CC Computer Certificate Thumbprint
$certhash = (Get-ChildItem Cert:\LocalMachine\My\).Thumbprint

# Note: The “Citrix Broker Service GUID” being used to create the SSL binding may change with the Connector upgrades, however, no change is required to the SSL binding. 
# The binding would persist through these changes and SSL would continue to be enabled for the XML traffic.
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certhash appid=$appID


# Allow only secure traffic
$registryPath = "HKLM:\Software\Citrix\DesktopServer"
$Name = "XmlServicesEnableNonSsl"
$value = "0"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null

Die Nachwehen der Sicherheitslücke im Citrix ADC CVE-2019-19781 / The aftermath of the security gap in the Citrix ADC CVE-2019-19781

{:de}

Die im Dezember 2019 von Citrix herausgegebene Sicherheitswarnung (CTX267027) für Citrix ADC / Citrix Gateway hat im Januar 2020 durch deren Ausnutzung für großen Wirbel gesorgt.

Wie jetzt HiSolutions berichtet hat dieser Vorfall auch jetzt noch Nachwirkungen. Durch Ausnutzung der Lücke sind auf den Systemen weitere Backdoors installiert worden, welche jetzt (8 Monate danach) ausgenutzt werden. Dies betrifft auch Systeme die in der Zwischenzeit upgedated wurden.

Das CERT-Bund meldete über Twitter im August 2020 dass immer noch ca. 200 Citrix ADC Systeme durch CVE-2019-19781 angreifbar sind.

Im Bericht von HiSolutions sind weitere Maßnahmen beschrieben wie man sich schützen kann.

Auf der Seite deyda.net hat Manuel Winkel ein Checkliste bereitgestellt wie man seine Citrix ADC / Citrix Gateways auf die Ausnutzung der Lücke CVE-2019-19781 überprüfen kann.

{:}{:en}

The security warning issued by Citrix in December 2019 ( CTX267027 ) for Citrix ADC / Citrix Gateway caused a big stir in January 2020 by exploiting them.

As now HiSolutions reported this incident has aftereffects. By exploiting the gap, further backdoors have been installed on the systems, which are now (8 months later) exploited. This also applies to systems that have been updated in the meantime.

The CERT-Bund reported via Twitter in August 2020 that around 200 Citrix ADC systems are still through CVE-2019-19781 are vulnerable.

In the report by HiSolutions further measures are described how to protect yourself.

On the page deyda.net Manuel Winkel has provided a checklist on how to check the Citrix ADC / Citrix Gateways for the exploitation of the CVE-2019-19781 gap.

{:}