Advisory

Han Sahin, August 2014

Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users

Abstract

It was discovered that the Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users. This issue can be abused by attackers to comprise the entire application.

Tested version

This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.

Fix

Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html

Citrix assigned BUG0494204 to this issue.

Introduction

Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.

Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, Java system objects, devices and so on. The Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users.

Details

The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example:
https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script>

Work with us →