CVE-2017-5933 - Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation

A flaw in NetScaler ADC and Gateway causes GCM nonces to be randomly generated, making it marginally easier for remote attackers to obtain the GCM authentication key and spoof data within a session.

The following vulnerability has been addressed:

CVE-2017-5933: Vulnerability in Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway GCM Nonce Generation

The vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Version 11.1 earlier than 11.1 Build 51.21
• Version 11.0 earlier than 11.0 Build 69.12/69.123
• Version 10.5 earlier than 10.5 Build 65.11

This vulnerability does not impact Citrix NetScaler ADC and NetScaler Gateway version 10.1 and prior.

Only Citrix NetScaler ADC and NetScaler Gateway appliances that have been configured to use GCM-based ciphersuites are affected by this vulnerability.

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 51.21 and later
• Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 69.12/69.123 and later
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 65.11 and later

These new versions can be downloaded from the following locations:

https://www.citrix.com/downloads/netscaler-adc.html

https://www.citrix.com/downloads/netscaler-gateway.html

Citrix recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as their normal patching schedule allows.

Citrix thanks Hanno Böck (https://hboeck.de/) for working with us to protect Citrix customers. His original research on this issue is available here.