==================================================================== CERT-Renater Note d'Information No. 2017/VULN032 _____________________________________________________________________ DATE : 08/02/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix NetScaler ADC, Citrix NetScaler Gateway versions 11.x, 10.5. ===================================================================== https://support.citrix.com/article/CTX220329 ____________________________________________________________________ CTX220329 Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation Security Bulletin | Medium | Created: 06 Feb 2017 | Modified: 06 Feb 2017 Applicable Products NetScaler NetScaler Gateway Description of Problem A flaw has been identified in the GCM nonce generation functionality of Citrix NetScaler application Delivery Controller (ADC) and Citrix NetScaler Gateway that could result in the interception of session data. The following vulnerability has been addressed: CVE-2016-0270: Vulnerability in Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway GCM Nonce Generation The vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway: Version 11.1 earlier than 11.1 Build 51.21 Version 11.0 earlier than 11.0 Build 69.12/69.123 Version 10.5 earlier than 10.5 Build 65.11 This vulnerability does not impact Citrix NetScaler ADC and NetScaler Gateway version 10.1 Mitigating Factors Only Citrix NetScaler ADC and NetScaler Gateway appliances that have been configured to use GCM-based ciphersuites are affected by this vulnerability. What Customers Should Do This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway: Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 51.21 and later Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 69.12/69.123 and later Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 65.11 and later These new versions can be downloaded from the following locations: https://www.citrix.com/downloads/netscaler-adc.html https://www.citrix.com/downloads/netscaler-gateway.html Citrix recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as their normal patching schedule allows. Acknowledgements Citrix thanks Hanno Böck (https://hboeck.de/) for working with us to protect Citrix customers. His original research on this issue is available here. What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix Changelog Date Change February 6, 2017 Initial Publishing ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================