CVE-2011-2883 - Vulnerability Details - OpenCVE

The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 attempts to validate signed DLLs by checking the certificate subject, not the signature, which allows man-in-the-middle attackers to execute arbitrary code via HTTP header data referencing a DLL that was signed with a crafted certificate.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Citrix	Access Gateway

Configuration 1 [-]

OR	cpe:2.3:a:citrix:access_gateway:8.1::enterprise:::::
	cpe:2.3:a:citrix:access_gateway:9.0::enterprise:::::
	cpe:2.3:a:citrix:access_gateway:9.1::enterprise:::::

No data.

References

Link	Providers
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-07-21T23:00:00Z

Updated: 2024-09-17T01:42:00.092Z

Reserved: 2011-07-21T00:00:00Z

Link: CVE-2011-2883

Vulnrichment

No data.

NVD

Status : Modified

Published: 2011-07-21T23:55:04.317

Modified: 2024-11-21T01:29:11.590

Link: CVE-2011-2883

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 attempts to validate signed DLLs by checking the certificate subject, not the signature, which allows man-in-the-middle attackers to execute arbitrary code via HTTP header data referencing a DLL that was signed with a crafted certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-07-21T23:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20110714 Citrix Access Gateway ActiveX Arbitrary Libary Loading Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-2883", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 attempts to validate signed DLLs by checking the certificate subject, not the signature, which allows man-in-the-middle attackers to execute arbitrary code via HTTP header data referencing a DLL that was signed with a crafted certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20110714 Citrix Access Gateway ActiveX Arbitrary Libary Loading Vulnerability", "refsource": "IDEFENSE", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T23:15:31.606Z"}, "title": "CVE Program Container", "references": [{"name": "20110714 Citrix Access Gateway ActiveX Arbitrary Libary Loading Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE", "x_transferred"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-2883", "datePublished": "2011-07-21T23:00:00Z", "dateReserved": "2011-07-21T00:00:00Z", "dateUpdated": "2024-09-17T01:42:00.092Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:access_gateway:8.1:*:enterprise:*:*:*:*:*", "matchCriteriaId": "9A7BC4F8-DF07-499B-90CD-53EAB854014B", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:access_gateway:9.0:*:enterprise:*:*:*:*:*", "matchCriteriaId": "0DCDF4DE-F0DF-427A-980C-62314FCE6A45", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:access_gateway:9.1:*:enterprise:*:*:*:*:*", "matchCriteriaId": "F409FE7A-88D6-4FFB-8D78-0C0FCFB5DD8E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access Gateway Enterprise Edition 8.1 before 8.1-67.7, 9.0 before 9.0-70.5, and 9.1 before 9.1-96.4 attempts to validate signed DLLs by checking the certificate subject, not the signature, which allows man-in-the-middle attackers to execute arbitrary code via HTTP header data referencing a DLL that was signed with a crafted certificate."}, {"lang": "es", "value": "El control activeX NSEPA.NsepaCtrl.1 en nsepa.ocx de Citrix Access Gateway Enterprise Edition v8.1 antes de v8.1-67.7, v9.0 antes de v9.0-70.5 y v9.1 antes de v9.1-96.4 intenta validar archivos DLL firmados mediante el control del asunto del certificado en lugar de la firma, que permite a los atancante de hombre en el medio ejecutar c\u00f3digo arbitrario a trav\u00e9s de datos de cabecera HTTP que referencian a una DLL firmada por un certificado manipulado."}], "id": "CVE-2011-2883", "lastModified": "2024-11-21T01:29:11.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-07-21T23:55:04.317", "references": [{"source": "cve@mitre.org", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=928"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}