GCN Tech Blog

By GCN Staff

Blog archive

Lock down those Citrix gateways!

Here's an underappreciated network vulnerability that the system administrator should give some thought about: Citrix gateways.

A security researcher has found a number government networks that he was able to breach by using unsecured Citrix Presentation Server gateways.

Cue the obligatory sound-the-alarm quote here: 'The Internet is full of wide open CITRIX gateways. This is madness!' wrote security researcher Petko D. Petkov, in his blog posting.

Petkov's idea was deviously simple: Do a Google search for publicly-accessible files with the .ICA extension. Independent Computer Architecture files contain the configuration information that remote computers use to tap into Microsoft Windows applications over a network, using WinFrame or Citrix Presentation Server, formerly called MetaFrame.

When available over the Internet, such configuration files offer a wealth of information to malicious hackers about the server operating environments of these gateways. Even more troublesome is how the researcher found that, using his own Citrix client software, he was able to access many of these remotely available applications without log-in access:



eWeek covered this problem and attributed the vulnerability less to Citrix's software itself and more to sysadmin laxness in not properly managing port 1494, the port Citrix software usually deploys to supply applications to end users.

"Citrix is able to be secured, but that's like everything else in computing: the admin needs a brain," one security observer noted on a mailing list.

Posted by Joab Jackson on Oct 11, 2007 at 9:39 AM


Featured

  • FCW Perspectives
    tech process (pkproject/Shutterstock.com)

    Understanding the obstacles to automation

    As RPA moves from buzzword to practical applications, agency leaders say it’s forcing broader discussions about business operations

  • Federal 100 Awards
    Federal 100 logo

    Fed 100 nominations are now open

    Help us identify this year's outstanding individuals in federal IT.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.