CVE-2022-26355: Citrix Federated Authentication Service (FAS) 7.17 - 10.6 Private Key Storage Vulnerability

A recently discovered vulnerability in Citrix Federated Authentication Service (FAS) versions 7.17 to 10.6 (CVE-2022-26355) could expose sensitive certificate data to unauthorized access. This vulnerability only affects FAS deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) using PowerShell. In such cases, the private key is not stored in the TPM as expected but rather in the Microsoft Software Key Storage Provider (MSKSP). If FAS was configured using the FAS administration console or TPM was not selected for use, the vulnerability does not occur. In this post, we will discuss the exploit details, provide code snippets to identify if your deployment is affected, and share mitigation steps to secure your environment.

Exploit Details

Due to an incorrect storage procedure in FAS configurations, the registration authority certificate's private key is saved in the MSKSP instead of the TPM. This storage vulnerability could lead to unauthorized access and manipulation of private key data, compromising the security of your Citrix environment and the integrity of your certificate-based authentication.

The issue occurs in FAS configurations where PowerShell was used with the TPM option. The following code snippet is an example of a vulnerable FAS configuration:

# PowerShell snippet for vulnerable FAS configuration
$CitrixPrivateKeyStorage = 'TPM'
$secureString = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
New-FasMsCertificateDefinition -Name 'FAS-RA-Cert' -SubjectName 'CN=FAS Registration Authority' -Password $secureString -PrivateKeyStorageProvider $CitrixPrivateKeyStorage

Identification and Mitigation

To identify if your environment is affected by CVE-2022-26355, you can use the following PowerShell command:

$certDef = Get-FasMsCertificateDefinition -Name 'FAS-RA-Cert'
$certDef.PrivateKeyStorageProvider

If the output returns 'MSKSP', your environment is affected by this vulnerability. To mitigate the vulnerability, follow these steps:

Remove the existing registration authority certificate definition using PowerShell

Remove-FasMsCertificateDefinition -Name 'FAS-RA-Cert'

i. Launch the FAS administration console and navigate to the 'Registration Authority' section.

ii. Click 'Add' and fill in the required details. Make sure to select 'Trusted Platform Module (TPM)' as your private key storage provider.

i. Use the following PowerShell snippet with the correct TPM storage provider

$CitrixPrivateKeyStorage = 'TPM2-NCIPHER'
$secureString = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force
New-FasMsCertificateDefinition -Name 'FAS-RA-Cert' -SubjectName 'CN=FAS Registration Authority' -Password $secureString -PrivateKeyStorageProvider $CitrixPrivateKeyStorage

4. Verify that your environment is no longer affected by running the identification PowerShell command again. The output should now return 'TPM2-NCIPHER' or another TPM-related value.

Original References

For more information about this vulnerability and Citrix's response, refer to the following official Citrix resources:

1. Citrix Security Advisory
2. Citrix FAS Deployment Guide

Conclusion

CVE-2022-26355 is a notable vulnerability in Citrix FAS deployments that were incorrectly configured to store a registration authority certificate's private key in TPM through PowerShell. It's essential that administrators review their Citrix environments and take appropriate steps to secure their private key data from unauthorized access. To ensure your Citrix FAS deployment is secure, follow the identification and mitigation instructions provided in this post. Stay vigilant and keep your systems up-to-date to prevent similar vulnerabilities in the future!

Timeline

Published on: 03/10/2022 17:47:00 UTC
Last modified on: 03/18/2022 13:47:00 UTC