Description of Problem
A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler-based hardware appliances:
- Citrix NetScaler Application Delivery Controller (ADC)
- Citrix NetScaler Gateway
- Citrix NetScaler Service Delivery Appliance
- Citrix CloudBridge (now NetScaler SD-WAN)
- Citrix Command Center Appliance
- Citrix NetScaler T1 (formerly Citrix ByteMobile)
The following vulnerabilities have been addressed:
CVE-2013-3607 (High): Stack-based Buffer Overflow
CVE-2013-3608 (High): Improper Input Validation
CVE-2013-3609 (High): Improper Privilege Management
CVE-2013-3619 (High): Static Encryption Keys
CVE-2013-3620 (High): Hardcoded WSMan Credentials
CVE-2013-3621 (High): Buffer overflow in login.cgi
CVE-2013-3623 (High): Buffer overflow in close_window.cgi CGI application
CVE-2013-3622 (High): Buffer overflow in logout.cgi CGI application
CVE-2013-4421 (Medium): Denial of service caused by 'buf_decompress()' function
CVE-2013-4434 (Medium): User-enumeration possible due to timing error during authentication
CVE-2014-3508 (Medium): Information leak in pretty printing functions
CVE-2014-3509 (Medium): Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3511 (Medium): OpenSSL TLS protocol downgrade attack
CVE-2014-3567 (High): Session Ticket Memory Leak
CVE-2014-3566 (Low): SSL 3.0 Fallback protection (POODLE)
CVE-2014-3568 (Medium): Build option no-ssl3 is incomplete
CVE-2014-3569 (Medium): no-ssl3 configuration sets method to NULL
CVE-2014-3572 (Medium): ECDHE silently downgrades to ECDH
CVE-2014-3570 (Medium): Bignum squaring may produce incorrect results
CVE-2014-8275 (Medium): Certificate fingerprints can be modified
CVE-2015-0204 (Medium): RSA silently downgrades to EXPORT_RSA
CVE-2015-0205 (Medium): DH client certificates accepted without verification
CVE-2015-0286 (Medium): Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 (Medium): ASN.1 structure reuse memory corruption
CVE-2015-0292 (High): Base64 decode buffer overflow
CVE-2015-0293 (Medium): DoS via reachable assert in SSLv2 servers
CVE-2015-0209 (Medium): Use After Free following d2i_ECPrivatekey error
CVE-2015-0288 (Medium): X509_to_X509_REQ NULL pointer dereference
CVE-2015-4000 (Low): DHE man-in-the-middle protection (Logjam)
CVE-2015-1788 (Medium): Malformed ECParameters causes infinite loop (CVE-2015-1788)
CVE-2015-1789 (High): Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 (Medium): CMS verify infinite loop with unknown hash function
CVE-2015-1791 (Medium): Race condition handling NewSessionTicket
The vulnerabilities mentioned above have varying levels of potential impact, the most severe of which allow a remote unauthenticated attacker to access sensitive information, cause a denial of service, or execute arbitrary code as a privileged user. Please note that there are other vulnerabilities mentioned above of equal or lesser severity that are fixed in the latest firmware.
These vulnerabilities affect the following versions of the LOM firmware:
8xxx-based and T1010-based NetScaler MPX/SDX appliances, CB2000 and CB3000 CloudBridge appliances with LOM versions earlier than version 3.21.
11500/13500/14500/16500/18500/20500, 115xx, 17550/19550/20550/21550-based and T1100-based NetScaler MPX/SDX appliances, CB4000 and CB5000 CloudBridge appliances with LOM versions earlier than version 3.39.
22xxx-based and T1200-based NetScaler MPX/SDX appliances with LOM versions earlier than version 3.24.
14xxx and 25xxx-based and T1120 and T1300-based NetScaler MPX/SDX appliances with LOM versions earlier than version 4.08.
Mitigating Factors
These vulnerabilities are only possible through the LOM Ethernet port. Customers who have not connected the LOM Ethernet port on their appliances remain unaffected.
When deployed in line with Citrix NetScaler Secure Deployment recommendations, access to the vulnerable LOM Ethernet port would be limited to trusted users, and the risks presented by these issues would be greatly reduced.
What Customers Should Do
These vulnerabilities have been addressed in the following versions of the LOM firmware:
- LOM firmware version 3.21 for 8xxx-based and T1010-based NetScaler MPX/SDX appliances, CB2000 and CB3000 CloudBridge appliances. Please note that appliances manufactured on or later than Jan 15, 2016 already contain LOM firmware version 3.21.
- LOM firmware version 3.39 for 11500/13500/14500/16500/18500/20500, 115xx, 17550/19550/20550/21550-based and T1100-based NetScaler MPX/SDX appliances, CB4000 and CB5000 CloudBridge appliances. Please note that appliances manufactured on or later than Jan 15, 2016 already contain LOM firmware version 3.39.
- LOM firmware version 3.24 for 22xxx-based and T1200-based NetScaler appliances. Please note that appliances manufactured on or later than June 7, 2016 already contain LOM firmware version 3.24.
- LOM firmware version 4.08 for 14xxx and 25xxx-based and T1120 and T1300-based NetScaler MPX/SDX appliances. Please note that appliances manufactured on or later than April 21, 2016 already contain LOM firmware version 4.08.
Customers on all platforms are recommended to verify the LOM firmware version on their deployment. Citrix strongly recommends that affected customers follow the instructions in the following link to update their BMC firmware to a version that contains the fixes for these issues:
https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade.html
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
September 8, 2016 | Initial Publishing |
February 9, 2017 | Removed guidance on silent upgrades from What Customers Should Do |
February 27, 2017 | Amended Mitigating Factors and What Customers Should Do |