Vulmon
Description of Problem
A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could result in the disclosure of cleartext traffic from the backend client TLS handshake.
This vulnerability only affects connections between a Citrix Netscaler ADC or NetScaler Gateway virtual appliance and a backend server where both TLS with client certificates is enabled and where a Diffie-Hellman Ephemeral (DHE) key exchange is used.
Citrix NetScaler MPX and NetScaler SDX hardware appliances are not impacted by this vulnerability.
This vulnerability has been assigned the following CVE:
- CVE-2017-17549: Information Disclosure in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Client TLS Handshake
This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway virtual appliances:
- Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13
Mitigating Factors
In deployments where TLS with Client Certificates is not used, or where DHE key exchange is not used, the virtual appliances are not impacted.
What Customers Should Do
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and later
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and later
These new versions can be found on the Citrix website at the following locations:
https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/
Citrix recommends that affected customers upgrade their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as part of their normal patching schedule.
Acknowledgements
Citrix thanks the IBM Security Team for working with us to protect Citrix customers
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 12th December 2017 | Initial publishing |