Citrix，SAP GUI和Token盜竊：深入研究最近的漏洞

探索Citrix NetScaler和SAP GUI中的關鍵漏洞，突出顯示令牌盜竊和數據暴露的風險，並提供基本的緩解策略。

The cybersecurity landscape is ever-evolving, and recent disclosures concerning Citrix and SAP GUI highlight the persistent threats organizations face. With vulnerabilities leading to potential token theft and sensitive data exposure, understanding these issues is crucial. Let's delve into the specifics.

網絡安全格局正在不斷發展，有關Citrix和SAP GUI的最新披露強調了組織面臨的持續威脅。由於導致潛在的令牌盜竊和敏感數據暴露，因此了解這些問題至關重要。讓我們深入研究細節。

Citrix Bleed 2: A New Wave of Token Theft

Citrix流血2：新一波的令牌盜竊

A critical-rated security flaw, CVE-2025-5777, in NetScaler ADC and Gateway products (formerly Citrix ADC and Gateway) has emerged, threatening unauthorized access via token theft. Dubbed 'Citrix Bleed 2' due to its similarities to the infamous CVE-2023-4966, this vulnerability stems from insufficient input validation. Attackers can exploit this flaw to grab valid session tokens from memory through malformed requests, effectively bypassing authentication. This is particularly concerning when NetScaler is configured as a Gateway or AAA virtual server.

NetScaler ADC和Gateway Products（以前為Citrix ADC和Gateway）中的關鍵評級安全缺陷，CVE-2025-5777已出現，威脅著通過令牌盜竊的未經授權的訪問。由於與臭名昭著的CVE-2023-4966相似，因此被稱為“ Citrix流血2”，因此該脆弱性源於輸入驗證不足。攻擊者可以利用此缺陷來通過錯誤的請求從內存中獲取有效的會話令牌，從而有效地繞過身份驗證。當NetScaler配置為網關或AAA虛擬服務器時，這尤其令人擔憂。

The urgency is amplified by the fact that while there's no confirmed weaponization yet, experts believe it possesses all the hallmarks of a high-interest target for malicious actors. The initial limitations associated with the vulnerability have also been removed, suggesting a potentially broader impact than initially anticipated.

儘管尚無確認的武器化，但專家認為它具有惡意演員的高息目標的所有標誌，這使緊迫性得以擴大。與漏洞相關的初始限制也已被消除，這表明可能比最初預期的要更廣泛的影響。

Versions at Risk and Mitigation

有風險和緩解的版本

Several NetScaler ADC and Gateway versions are affected, including 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, and various FIPS-compliant versions. Alarmingly, versions 12.1 and 13.0, now End of Life (EOL), remain vulnerable without available patches. Organizations using Secure Private Access on-premises or hybrid deployments with NetScaler instances are urged to upgrade immediately. Post-upgrade, terminating all active ICA and PCoIP sessions is crucial.

幾個NetScaler ADC和網關版本受到影響，包括14.1-43.56之前的14.1，13.1-58.32之前13.1和各種符合FIPS的版本。令人震驚的是，版本12.1和13.0，現在的生命終結（EOL），在沒有可用補丁的情況下仍然脆弱。敦促使用安全的私人訪問本地訪問或與NetScaler實例的混合部署的組織立即升級。升級後，終止所有主動ICA和PCOIP會話至關重要。

SAP GUI's Input History: A Data Exposure Nightmare

SAP GUI的輸入歷史：數據曝光噩夢

On another front, vulnerabilities CVE-2025-0055 and CVE-2025-0056 in SAP GUI for Windows and Java expose sensitive information through insecure storage of input history. The SAP GUI input history feature, designed for user convenience, stores previously entered values locally. However, the research discovered that this history is stored insecurely, both in the Java and Windows versions. This can include usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.

在另一個方面，漏洞CVE-2025-0055和CVE-2025-0056在SAP GUI中用於Windows和Java，通過輸入歷史記錄的不安全存儲來公開敏感信息。 SAP GUI輸入歷史記錄功能（用於用戶便利性）先前已在本地輸入值。但是，研究發現，這一歷史記錄是在Java和Windows版本中不安全的。這可以包括用戶名，國家ID，社會保險號（SSN），銀行帳號和內部SAP表名稱。

The Windows version employs a weak XOR-based encryption scheme easily decoded, while the Java version stores entries unencrypted. An attacker with administrative privileges or access to the victim's user directory can access this data, potentially leading to severe confidentiality breaches. Exfiltration through HID injection attacks or phishing becomes a real threat.

Windows版本採用了一個弱基的加密方案輕鬆解碼，而Java版本則存儲未加密的條目。具有行政特權或訪問受害者用戶目錄的攻擊者可以訪問此數據，可能導致嚴重的機密性漏洞。通過隱藏注射攻擊或網絡釣魚的滲透成為真正的威脅。

Securing Your SAP GUI

保護您的SAP GUI

To mitigate these risks, disabling the input history functionality and deleting existing database or serialized object files from the designated directories is strongly recommended.

為了減輕這些風險，強烈建議禁用輸入歷史記錄功能並從指定目錄中刪除現有數據庫或序列化對象文件。

Putting It All Together: A Call to Action

將所有內容放在一起：採取行動的呼籲

These vulnerabilities in Citrix and SAP GUI underscore the need for proactive security measures. Regularly updating systems, promptly applying patches, and implementing recommended mitigations are essential steps in safeguarding against potential exploits.

Citrix和SAP GUI中的這些漏洞強調了對主動安全措施的需求。定期更新系統，及時應用補丁以及實施建議的緩解是維護潛在漏洞的重要步驟。

It's a jungle out there in cybersecurity, isn't it? But with vigilance and a proactive approach, you can keep those digital predators at bay. Stay safe, stay updated, and keep those patches rolling!

這是一個網絡安全的叢林，不是嗎？但是，採用警惕和積極的方法，您可以將這些數字掠食者拒之門外。保持安全，保持更新，並保持這些補丁的滾動！