==================================================================== CERT-Renater Note d'Information No. 2017/VULN395 _____________________________________________________________________ DATE : 13/12/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix NetScaler, Citrix NetScaler Gateway versions 12.0, 11.1, 11.0, 10.5. ===================================================================== https://support.citrix.com/article/CTX230612 https://support.citrix.com/article/CTX230238 _____________________________________________________________________ CTX230612 Information Disclosure in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Client TLS Handshake Applicable Products * NetScaler 12.0 * NetScaler 11.1 * NetScaler 11.0 * NetScaler 10.5 * NetScaler Gateway 12.0 * NetScaler Gateway 11.1 * NetScaler Gateway 11.0 * NetScaler Gateway 10.5 Description of Problem A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could result in the disclosure of cleartext traffic from the backend client TLS handshake. This vulnerability only affects connections between a Citrix Netscaler ADC or NetScaler Gateway virtual appliance and a backend server where both TLS with client certificates is enabled and where a Diffie-Hellman Ephemeral (DHE) key exchange is used. Citrix NetScaler MPX and NetScaler SDX hardware appliances are not impacted by this vulnerability. This vulnerability has been assigned the following CVE: * CVE-2017-17549: Information Disclosure in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Client TLS Handshake This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway virtual appliances: * Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22 * Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19 * Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22 * Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13 - ------------------------------------------------------------------------------- Mitigating Factors In deployments where TLS with Client Certificates is not used, or where DHE key exchange is not used, the virtual appliances are not impacted. - ------------------------------------------------------------------------------- What Customers Should Do This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway: * Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and later * Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and later * Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and later * Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and later These new versions can be found on the Citrix website at the following locations: https://www.citrix.com/downloads/netscaler-adc/ https://www.citrix.com/downloads/netscaler-gateway/ Citrix recommends that affected customers upgrade their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as part of their normal patching schedule. - ------------------------------------------------------------------------------- Acknowledgements Citrix thanks the IBM Security Team for working with us to protect Citrix customers - ------------------------------------------------------------------------------- What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. - ------------------------------------------------------------------------------- Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. - ------------------------------------------------------------------------------- Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 - - Reporting Security Issues to Citrix - ------------------------------------------------------------------------------- Changelog +-----------------------------------------------------------------------------+ |Date |Change | |--------------------------------------+--------------------------------------| |12th December 2017 |Initial publishing | +-----------------------------------------------------------------------------+ _____________________________________________________________________ - ------------------------------------------------------------------------------- CTX230238 TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Applicable Products * NetScaler 12.0 * NetScaler 11.1 * NetScaler 11.0 * NetScaler 10.5 * NetScaler Gateway 12.0 * NetScaler Gateway 11.1 * NetScaler Gateway 11.0 * NetScaler Gateway 10.5 Description of Problem A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow an attacker to exploit the appliance to decrypt TLS traffic. This vulnerability has been assigned the following CVE: * CVE-2017-17382: TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway: * Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22 * Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19 * Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22 * Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13 This vulnerability does not allow an attacker to obtain the TLS private key. In deployments where TLS private keys are shared between different devices, any of these vulnerable appliances could potentially be used to decrypt TLS traffic handled by the other devices. As a consequence, all vulnerable devices must be patched to address this issue. - ------------------------------------------------------------------------------- Mitigating Factors Citrix NetScaler ADC and NetScaler Gateway appliances that are configured to only use Perfect Forward Secrecy (PFS) cipher suites are not affected by this vulnerability. - ------------------------------------------------------------------------------- What Customers Should Do This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway: * Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and later * Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and later * Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and later * Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and later These new versions can be found on the Citrix website at the following locations: https://www.citrix.com/downloads/netscaler-adc/ https://www.citrix.com/downloads/netscaler-gateway/ Citrix strongly recommends that affected customers upgrade all of their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as soon as possible. - ------------------------------------------------------------------------------- Acknowledgements Citrix would like to thank the following for working with us to protect Citrix customers: * Hanno Bock (hanno@hboeck.de) * Juraj Somorovsky (juraj.somorovsky@rub.de) of Ruhr-Universit?t Bochum / Hackmanit GmbH * Craig Young (vuln-report@secur3.us) of Tripwire VERT - ------------------------------------------------------------------------------- What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. - ------------------------------------------------------------------------------- Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. - ------------------------------------------------------------------------------- Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 - - Reporting Security Issues to Citrix - ------------------------------------------------------------------------------- Changelog +-----------------------------------------------------------------------------+ |Date |Change | |--------------------------------------+--------------------------------------| |12th December 2017 |Initial publishing | +-----------------------------------------------------------------------------+ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================