HTTP Open Redirect Vulnerability in License Server

Description

This article explains the steps required to apply the manual workaround for the issue described in CTX219885 – Open Redirect Vulnerability in Citrix License Server for Windows and License Server VPX. This article is available on our website at the following address:
https://support.citrix.com/article/ctx219885

This issue only applied to License versions prior to 11.14.0.1 Build 20104.

This manual workaround is intended for users of the License Server for Windows and License Server VPX version 11.14.0.1 only.

Older versions of the License Server for Windows and the License Server VPX are not supported and the use of this workaround on those versions is at the user’s own risk.

Resolution

To Address the issue upgrade to the below versions or above.

License Server for Windows - Version 11.14.0.1 Build 23101
License Server VPX – Version 11.14.0.1 Build 19800

Manual Workaround

To address this issue, it is necessary to make changes to the configuration files of the underlying webserver used by the License Server. Ensure that, prior to making the changes, the original configuration files are backed up. The workaround uses mod_security to identify the “location=/” pattern in the URL for the admin GUI and deny requests containing this parameter. When matched, the Citrix Licensing Administration Console will return an HTTP error ‘403’ Forbidden for that request.
Note that, as the configuration file (httpd.conf) file is dynamically generated during the startup of lmadmin, the workaround must to be applied in part to the server.xml file and to an additional file referenced by that configuration file.
Create the additional configuration file:

Log into the License Server using an account with local administrative permissions (for Windows servers) or root user (for VPX).
Locate the directory containing the License Server configuration files. In default Windows installations, this will be C:\Program Files (x86)\Citrix\licensing\ls\conf. On the License Server VPX, this is /opt/citrix/licensing/LS/conf.
Create a new file in the \conf directory called ctxHttpd.conf
Using a text editor, open ctxHttpd.conf and populate it with the following information:

<IfModule mod_security2.c>
        SecRuleEngine On
        SecRequestBodyAccess On
        SecResponseBodyAccess On
        # Uncomment the line below for License Server VPX ONLY
  # SecDataDir /tmp
        # Uncomment the line below for License Server Windows ONLY
   # SecDataDir $(TMP)
</IfModule>

SecRule REQUEST_URI|ARGS|REQUEST_BODY "location=/" "log,deny,msg:'Access Denied'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "location=%2f" "log,deny,msg:'Access Denied'"
SecRule REQUEST_URI|ARGS|REQUEST_BODY "location=%2F" "log,deny,msg:'Access Denied'"

5. Save the file and exit the editor.

A reference to this file must be included in the existing server.xml file using the includeHttpdConfigFile” attribute:

Locate the server.xml file in the \conf directory and open it with a text editor.
Find the <webserver> section and add the following attribute:
For Windows servers:

includeHttpdConfigFile="C:\Program Files (x86)\Citrix\licensing\ls\conf\ctxHttpd.conf"

For the VPX:

includeHttpdConfigFile="/opt/citrix/licensing/LS/conf/ctxHttpd.conf"

An example of the completed attribute for the Windows License Server is below:

Save the file and exit the editor.

Once the changes have been made the License Server must be restarted for the changes to take effect. As with all changes, we recommend that these are tested prior to the License Server being released into a production environment.

Issue/Introduction

This article is the workaround for the security vulnerability described in CX219885

Welcome to "KB Articles"