Description of Problem
A vulnerability has been identified in the Citrix Application Delivery Controller (ADC) formally known as NetScaler ADC and NetScaler Gateway platforms using hardware acceleration that could allow an attacker to exploit the appliance to decrypt TLS traffic. This vulnerability does not directly allow an attacker to obtain the TLS private key.
This vulnerability has been assigned the following CVE:
• CVE-2019-6485: TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway
Platforms not on the list below and running the following versions of Citrix ADC and NetScaler Gateway are impacted, including Citrix ADC instances on affected SDX platforms using hardware acceleration via an assigned virtual function (VF):
• Citrix ADC and NetScaler Gateway version 12.1 earlier than build 50.31
• Citrix ADC and NetScaler Gateway version 12.0 earlier than build 60.9
• Citrix ADC and NetScaler Gateway version 11.1 earlier than build 60.14
• Citrix ADC and NetScaler Gateway version 11.0 earlier than build 72.17
• Citrix ADC and NetScaler Gateway version 10.5 earlier than build 69.5
The following platforms are not affected and do not require the firmware update:
• MPX 5900 series
• MPX/SDX 8900 series
• MPX/SDX 15000-50G
• MPX/SDX 26000-50S series
• MPX/SDX 26000-100G series
• MPX/SDX 26000 series
• VPX
How to check your platform: https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html
Mitigating Factors
Citrix ADC and NetScaler Gateway appliances that have disabled CBC-based cipher suites are not affected by this vulnerability. Citrix also recommends prioritizing GCM-based ciphers.
What Customers Should Do
Acknowledgements
Citrix would like to thank the following for working with us to protect Citrix customers:
• Craig Young of Tripwire VERT
• Janis Fliegenschmidt of Ruhr-Universität Bochum
• Juraj Somorovsky of Ruhr-Universität Bochum / Hackmanit GmbH
• Nimrod Aviram of Tel Aviv University
• Robert Merget of Ruhr-Universität Bochum
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
23rd January 2019 | Initial Publishing |