A Citrix Breakout Test identifies ways in which a user of your Citrix environment may be able to access functionality on the Citrix server or surrounding systems which they are not intended to access.
Citrix environments can be complex – easier to get working than they are to get working securely. Initial testing for new Citrix environments by your team probably focused on ensuring everyone was able to do their job remotely. Our breakout testing comes from a different perspective – we are looking to ensure that no-one can access systems or data that they are not authorised to access – whether employees or attackers from outside your organisation. Our testing will check your Citrix environment has been correctly set-up in line with security best practices and that your users can only access authorised functionality.
Due to the fact that, by default, Citrix relies upon Active Directory Group Policy to restrict the access that a user can have, it is very often the case that some restrictions are not be implemented correctly. This means an attacker could bypass the restrictions and infiltrate your network. In the worst-case scenario, an attacker who has been able to obtain access to a standard Domain User account, may be able to access resources on the underlying Citrix server that may allow them to pivot an attack into the surrounding infrastructure and Domain.
Methodology
During the assessment, the following activities give examples of what will be attempted using a standard Domain User account:
Gaining command prompt access
If an attacker can gain access to the command prompt or PowerShell, they have the potential to quickly gain control of the server, install malware or cause damage. We will test a number of attack vectors including: abusing dialog boxes, Help menus and even the MS Paint app.
Executing code through Microsoft Office macros
Microsoft Office has a powerful suite of tools that can be abused by an attacker if they’ve not been correctly configured. Visual Basic for Applications (VBA) macros can be used to access a command prompt and the Developer Tools can create a web browser or be configured to run arbitrary applications on the server.
Accessing the underlying operating system on the Citrix server
Regardless of whether your Citrix server is running on Windows or Linux, if the host operating system can be accessed, it can be used as a stepping stone to compromise the entire server and then pivot an attack to other servers on the same network.
File-system access on the Citrix server
The file system can be accessed in a number of ways if the Citrix environment is not correctly hardened. This could allow data to be exfiltrated, malware to be installed or the server configuration to be altered.
Accessing other adjacent hosts that are on the same network as the Citrix server
If an attacker is able to compromise your Citrix server, Virtual Machines on the same host and other physical servers on the same network as the Citrix server could be targeted by an attacker. We will check that it is not possible for an attacker to jump from the Citrix host to other systems on your network.
Uploading and executing exploit code through the restricted desktop or application
During the assessment, we will identify ways in which malicious code can be uploaded to the Citrix server. In a real-life attack, malicious users will often attempt to upload exploit code and hacking tools to the Citrix server so that they are able to further their attack. We will identify file upload functionality in the published Citrix applications and locate areas that may allow malicious applications to be uploaded by your Citrix users.
Vertical and Horizontal Privilege Escalation
Vertical Privilege Escalation is the ability for an attacker to elevate their rights to a more powerful user account, such as ‘Local Administrator’ or to run an application with those privileges. Horizontal Privilege Escalation could allow the attacker to switch to a different user account in order to take advantage of the security permissions that the other user account has been granted. The ability to do either of these things could enable an attacker to leverage the resources of the Citrix server to establish a beach head in your network and use that to launch further attacks from inside your network.
Prerequisites
- A signed and completed testing consent form
- Logon credentials for a standard domain user account
- Access to your Citrix logon portal (may require VPN access or IP address whitelisting)
Deliverables
Engaging with SecureTeam for your Citrix Breakout Test will provide you with the following:
In-flight Support
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of your Citrix environment and how people connect to it – either in your network or over the Internet. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or infrastructure and any evidence in our results that indicates a security breach may have already taken place.
Reporting
Once the Citrix breakout test has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities are explained to a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information and mitigation advice can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring that you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff. It provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders the technical staff who will be tasked with applying the recommended course of action.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.