# Citrix Linux client credential leak  
The Citrix Linux client emits its session credentials when starting a Citrix  
session. These credentials end up being recorded in the client's system log.  
Citrix do not consider this to be a security vulnerability.  
# Software affected  
- Citrix Workspace App for Linux versions 2212.  
Other versions are likely affected.  
# Context  
When connecting to a Citrix session via a web browser such as Firefox on Linux,  
typically you access a web application known as Citrix Storefront. This  
provides clickable icons for the applications and remote desktop sessions  
available to you.  
When you click on one of these, your browser is instructed to open a URL of the  
form `receiver://.....` which is handled using `/opt/Citrix/ICAClient/util/ctxwebhelper`.  
`ctxwebhelper` parses the URL and uses the decoded information to make a HTTP  
GET request to the remote server for an 'ica' file, which contains the  
connection details necessary to launch the Citrix client software,  
The ICA file contains details such as the server hostname and temporary session  
credentials needed to authenticate the session.  
# The issue  
When making the GET request to retrieve the ICA file, `ctxwebhelper` echos the  
full HTTP response (headers & body) to standard output, which ends up feeding  
into journald and then into the system log files.  
This can be demonstrated by connecting to a Citrix session and running:  
grep receiver\\.desktop.*LogonTicket= /var/log/syslog  
which will produce output such as  
2023-01-12T11:15:46.816466+00:00 myhostname receiver.desktop[9999]: LogonTicket=1234567890ABCDEF1234567890ABCD  
# Vendor response  
Citrix responded to my report on 2023-01-05 to say they do not consider this a product vulnerability:  
Thank you for bearing with us. We have concluded the security  
investigation into the reported issue and determined that the contents  
of /var/log/syslog can only be read or written by root user, or a  
syslog user or an adm group but not by an unprivileged user. As a  
result, we do not consider this finding as a vulnerability in the  
We would like to thank you for submitting the finding and helping to  
keep Citrix customers safe.  
Best Regards,  
Citrix Security Response Team  
This is short-sighted in my opinion - logs should not be considered safe places  
to store credentials, even temporary ones.  
# Workaround  
Since Citrix do not consider this a vulnerability it seems unlikely this behaviour will change.  
You can work around this issue by replacing ctxwebhelper with a wrapper script  
that either discards or filters its output.  
First, rename `ctxwebhelper`:  
mv /opt/Citrix/ICAClient/util/ctxwebhelper /opt/Citrix/ICAClient/util/ctxwebhelper.real  
Next, place a script in its place, which first redirects stdout and stderr to /dev/null before executing the real `ctxwebhelper`:  
set -eu  
exec &>/dev/null  
"$(dirname "$0")"/ctxwebhelper.real "$@"  
Don't forget to `chmod +x /opt/Citrix/ICAClient/util/ctxwebhelper` after doing this.  
This script is available from this repository - see `ctxwebhelper.wrapper`.  
Note that this will be overwritten if the Citrix client is reinstalled.  
# Timeline  
2022-12-11: Issue disclosed to Citrix via email to  
2022-12-13: Citrix acknowledges receipt of the report, assigns identifier `CASE-8324`.  
2023-01-05: Citrix reponds to say they do not consider it a vulnerability.  
2023-01-07: Reply to Citrix requesting they reconsider their assessment.  
2023-01-14: Public disclosure.  
# Author  
Russell Howe. [Github]( [Twitter](  
# Brexit flags  
set -eu  
# Ensure stdout and stderr are discarded  
exec &>/dev/null  
# Execute the real ctxwebhelper  
"$(dirname "$0")"/ctxwebhelper.real "$@"