Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Blocking Citrix ICA Session Sharing (Seamless Window) Vulnerabilities

Subscribe

Check Point Reference: SBP-2010-36
Date Published:
Severity:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R75
Who is Vulnerable?
Citrix ICA
Vulnerability Description
Independent Computing Architecture (ICA) is a proprietary protocol for an application server system, designed by Citrix Systems. The protocol lays down a specification for passing data between server and clients. ICA is broadly similar in purpose to window servers such as the X Window System. It also provides for the feedback of user input from the client to the server, and a variety of means for the server to send graphical output, as well as other media such as audio, from the running application to the client.
Vulnerability Details
The Seamless windows feature gives a better user experience at the Citrix ICA client. It makes the application seem more as though it were running locally. In seamless window, session sharing takes place, and multiple applications can be opened on the same connection. From a security perspective, seamless windows are less secure. Because the session negotiations for all but the first application are encrypted, IPS cannot properly inspect the Citrix ICA connection. In a non-seamless window, the session negotiation for the application at the start of the connection is unencrypted. This means that SmartDefense is able to inspect the connection.
Note that in the Citrix ICA server, session sharing is enabled by default. 

Protection Overview
This protection prevents the client launching an application in seamless window mode. This therefore disables session sharing, which can only take place in a seamless window.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05Protection tab and select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Citrix ICA.
2. In the right pane, double-click the Citrix ICA Session Sharing (Seamless Window) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Citrix Enforcement Violation
Attack Information: Citrix ICA Session Sharing (Seamless Window)