Citrix，SAP GUI和Token盗窃：深入研究最近的漏洞

探索Citrix NetScaler和SAP GUI中的关键漏洞，突出显示令牌盗窃和数据暴露的风险，并提供基本的缓解策略。

The cybersecurity landscape is ever-evolving, and recent disclosures concerning Citrix and SAP GUI highlight the persistent threats organizations face. With vulnerabilities leading to potential token theft and sensitive data exposure, understanding these issues is crucial. Let's delve into the specifics.

网络安全格局正在不断发展，有关Citrix和SAP GUI的最新披露强调了组织面临的持续威胁。由于导致潜在的令牌盗窃和敏感数据暴露，因此了解这些问题至关重要。让我们深入研究细节。

Citrix Bleed 2: A New Wave of Token Theft

Citrix流血2：新一波的令牌盗窃

A critical-rated security flaw, CVE-2025-5777, in NetScaler ADC and Gateway products (formerly Citrix ADC and Gateway) has emerged, threatening unauthorized access via token theft. Dubbed 'Citrix Bleed 2' due to its similarities to the infamous CVE-2023-4966, this vulnerability stems from insufficient input validation. Attackers can exploit this flaw to grab valid session tokens from memory through malformed requests, effectively bypassing authentication. This is particularly concerning when NetScaler is configured as a Gateway or AAA virtual server.

NetScaler ADC和Gateway Products（以前为Citrix ADC和Gateway）中的关键评级安全缺陷，CVE-2025-5777已出现，威胁着通过令牌盗窃的未经授权的访问。由于与臭名昭著的CVE-2023-4966相似，因此被称为“ Citrix流血2”，因此该脆弱性源于输入验证不足。攻击者可以利用此缺陷来通过错误的请求从内存中获取有效的会话令牌，从而有效地绕过身份验证。当NetScaler配置为网关或AAA虚拟服务器时，这尤其令人担忧。

The urgency is amplified by the fact that while there's no confirmed weaponization yet, experts believe it possesses all the hallmarks of a high-interest target for malicious actors. The initial limitations associated with the vulnerability have also been removed, suggesting a potentially broader impact than initially anticipated.

尽管尚无确认的武器化，但专家认为它具有恶意演员的高息目标的所有标志，这使紧迫性得以扩大。与漏洞相关的初始限制也已被消除，这表明可能比最初预期的要更广泛的影响。

Versions at Risk and Mitigation

有风险和缓解的版本

Several NetScaler ADC and Gateway versions are affected, including 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, and various FIPS-compliant versions. Alarmingly, versions 12.1 and 13.0, now End of Life (EOL), remain vulnerable without available patches. Organizations using Secure Private Access on-premises or hybrid deployments with NetScaler instances are urged to upgrade immediately. Post-upgrade, terminating all active ICA and PCoIP sessions is crucial.

几个NetScaler ADC和网关版本受到影响，包括14.1-43.56之前的14.1，13.1-58.32之前13.1和各种符合FIPS的版本。令人震惊的是，版本12.1和13.0，现在的生命终结（EOL），在没有可用补丁的情况下仍然脆弱。敦促使用安全的私人访问本地访问或与NetScaler实例的混合部署的组织立即升级。升级后，终止所有主动ICA和PCOIP会话至关重要。

SAP GUI's Input History: A Data Exposure Nightmare

SAP GUI的输入历史：数据曝光噩梦

On another front, vulnerabilities CVE-2025-0055 and CVE-2025-0056 in SAP GUI for Windows and Java expose sensitive information through insecure storage of input history. The SAP GUI input history feature, designed for user convenience, stores previously entered values locally. However, the research discovered that this history is stored insecurely, both in the Java and Windows versions. This can include usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.

在另一个方面，漏洞CVE-2025-0055和CVE-2025-0056在SAP GUI中用于Windows和Java，通过输入历史记录的不安全存储来公开敏感信息。 SAP GUI输入历史记录功能（用于用户便利性）先前已在本地输入值。但是，研究发现，这一历史记录是在Java和Windows版本中不安全的。这可以包括用户名，国家ID，社会保险号（SSN），银行帐号和内部SAP表名称。

The Windows version employs a weak XOR-based encryption scheme easily decoded, while the Java version stores entries unencrypted. An attacker with administrative privileges or access to the victim's user directory can access this data, potentially leading to severe confidentiality breaches. Exfiltration through HID injection attacks or phishing becomes a real threat.

Windows版本采用了一个弱基的加密方案轻松解码，而Java版本则存储未加密的条目。具有行政特权或访问受害者用户目录的攻击者可以访问此数据，可能导致严重的机密性漏洞。通过隐藏注射攻击或网络钓鱼的渗透成为真正的威胁。

Securing Your SAP GUI

保护您的SAP GUI

To mitigate these risks, disabling the input history functionality and deleting existing database or serialized object files from the designated directories is strongly recommended.

为了减轻这些风险，强烈建议禁用输入历史记录功能并从指定目录中删除现有数据库或序列化对象文件。

Putting It All Together: A Call to Action

将所有内容放在一起：采取行动的呼吁

These vulnerabilities in Citrix and SAP GUI underscore the need for proactive security measures. Regularly updating systems, promptly applying patches, and implementing recommended mitigations are essential steps in safeguarding against potential exploits.

Citrix和SAP GUI中的这些漏洞强调了对主动安全措施的需求。定期更新系统，及时应用补丁以及实施建议的缓解是维护潜在漏洞的重要步骤。

It's a jungle out there in cybersecurity, isn't it? But with vigilance and a proactive approach, you can keep those digital predators at bay. Stay safe, stay updated, and keep those patches rolling!

这是一个网络安全的丛林，不是吗？但是，采用警惕和积极的方法，您可以将这些数字掠食者拒之门外。保持安全，保持更新，并保持这些补丁的滚动！