Skip to content

Instantly share code, notes, and snippets.

Created June 10, 2020 20:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kampji/11e259d68ad98a6f0f898132f1961a96 to your computer and use it in GitHub Desktop.
Save kampji/11e259d68ad98a6f0f898132f1961a96 to your computer and use it in GitHub Desktop.
Vulnerability Name: User Enumeration in Citrix XenApp 6.5
Registered: CVE-2020-13998
Scott Goodwin, OSCP
Jill Kamperides
OCD Tech
Vendor of Product:
Affected Product Code Base:
XenApp - Version 6.5
Attack Type:
Vulnerability Type:
User Enumeration
Vulnerability Impact:
Information Disclosure
Attack Vector:
To exploit this vulnerability, an attacker can use brute force methods
to determine whether or not a list of users exists on the affected
server by monitoring the HTTP responses returned by the server; the
HTTP responses differ substantially between valid and invalid users.
is enabled, allows a remote unauthenticated attacker to ascertain
whether a user exists on the server, because the 2FA error page only
occurs after a valid username is entered.
Additional Information:
Two-factor authentication must be enabled in Citrix XenApp 6.5 for
this vulnerability to be exploited. When a valid user is entered into
the login page (with an invalid password), the server returns a
two-factor authentication error page. When a nonexistent user is entered,
the page does not change. Users on the server can be enumerated with
complete confidence by monitoring which users trigger the two-factor
authentication error page, and which do not.
This vulnerability was disclosed to Citrix on 04/30/2020. Citrix
responded that XenApp version 6.5 has reached its End of Life (EOL)
and will not be receiving a patch. Users are recommended to upgrade
to resolve this vulnerability.
Reporting Timeline:
04/30/2020: Vulnerability was reported to Citrix
05/22/2020: Citrix deems XenApp 6.5 End of Life
06/09/2020: Vulnerability registered
06/10/2020: Public disclosure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment