==================================================================== CERT-Renater Note d'Information No. 2019/VULN027 _____________________________________________________________________ DATE : 30/01/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix ADC, Citrix NetScaler Gateway versions 10, 11, 12. ===================================================================== https://support.citrix.com/article/CTX240139 _____________________________________________________________________ Security Bulletin: TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller(ADC) and NetScaler Gateway Reference:CTX240139 Applicable Products o NetScaler 12.1 o NetScaler 12.0 o NetScaler 11.1 o NetScaler 11.0 o NetScaler 10.5 o NetScaler Gateway 12.0 o NetScaler Gateway 11.1 o NetScaler Gateway 11.0 o NetScaler Gateway 10.5 Description of Problem A vulnerability has been identified in the Citrix Application Delivery Controller (ADC) formally known as NetScaler ADC and NetScaler Gateway platforms using hardware acceleration that could allow an attacker to exploit the appliance to decrypt TLS traffic. This vulnerability does not directly allow an attacker to obtain the TLS private key. This vulnerability has been assigned the following CVE: o CVE-2019-6485: TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway Platforms not on the list below and running the following versions of Citrix ADC and NetScaler Gateway are impacted, including Citrix ADC instances on affected SDX platforms using hardware acceleration via an assigned virtual function (VF): o Citrix ADC and NetScaler Gateway version 12.1 earlier than build 50.31 o Citrix ADC and NetScaler Gateway version 12.0 earlier than build 60.9 o Citrix ADC and NetScaler Gateway version 11.1 earlier than build 60.14 o Citrix ADC and NetScaler Gateway version 11.0 earlier than build 72.17 o Citrix ADC and NetScaler Gateway version 10.5 earlier than build 69.5 The following platforms are not affected and do not require the firmware update: o MPX 5900 series o MPX/SDX 8900 series o MPX/SDX 15000-50G o MPX/SDX 26000-50S series o MPX/SDX 26000-100G series o MPX/SDX 26000 series o VPX How to check your platform: https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html Mitigating Factors Citrix ADC and NetScaler Gateway appliances that have disabled CBC-based cipher suites are not affected by this vulnerability. Citrix also recommends prioritizing GCM-based ciphers. What Customers Should Do This vulnerability has been addressed in the following versions of Citrix ADC and NetScaler Gateway: o Citrix ADC and NetScaler Gateway version 12.1 build 50.31 and later o Citrix ADC and NetScaler Gateway version 12.0 build 60.9 and later o Citrix ADC and NetScaler Gateway version 11.1 build 60.14 and later o Citrix ADC and NetScaler Gateway version 11.0 build 72.17 and later o Citrix ADC and NetScaler Gateway version 10.5 build 69.5 and later These new versions can be found on the Citrix website at the following locations: https://www.citrix.com/downloads/netscaler-adc/ https://www.citrix.com/downloads/netscaler-gateway/ Citrix recommends that affected customers apply appropriate mitigation or upgrade all of their vulnerable Citrix ADC appliances to a version of the appliance firmware that contains a fix for this issue as soon as possible. Information on how to configure available cipher suites on Citrix ADC can be found in the Citrix ADC documentation: https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-adc-appliances Acknowledgements Citrix would like to thank the following for working with us to protect Citrix customers: o Craig Young of Tripwire VERT o Janis Fliegenschmidt of Ruhr-Universitat Bochum o Juraj Somorovsky of Ruhr-Universitat Bochum / Hackmanit GmbH o Nimrod Aviram of Tel Aviv University o Robert Merget of Ruhr-Universitat Bochum What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 - - Reporting Security Issues to Citrix Changelog +-------------------------------------+---------------------------------------+ |Date |Change | +-------------------------------------+---------------------------------------+ |23rd January 2019 |Initial Publishing | +-------------------------------------+---------------------------------------+ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================