Description of Problem
An unauthorized redirect vulnerability has been identified in Citrix NetScaler ADC in the AAA-TM flow that could allow a remote attacker to obtain session cookies of a redirected AAA user.
This vulnerability does not impact NetScaler Gateway.
The following vulnerability has been addressed:
CVE-2016-9028: Unauthorized Redirect on Citrix NetScaler ADC could result in session hijack
The vulnerability affects the following versions of Citrix NetScaler ADC:
- Version 11.0 earlier than 11.0 Build 65.31/65.35F
- Version 10.5 earlier than 10.5 Build 61.11
- Version 10.1 earlier than 10.1 Build 135.8
Please note that NetScaler ADC version 11.1 contains the firmware fixes since its initial release. It will still, however, require the additional configuration changes described in the section below.
What Customers Should Do
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC:
- Citrix NetScaler ADC version 11.0 Build 65.31/65.35F and later
- Citrix NetScaler ADC version 10.5 Build 61.11 and later
- Citrix NetScaler ADC version 10.1 Build 135.8 and later
These new versions can be downloaded from the following location:
https://www.citrix.com/downloads/netscaler-adc.html
Citrix strongly recommends that customers using affected versions of the NetScaler ADC upgrade to a version of the appliance firmware that contains the fixes for this issue as soon possible to avoid being exploited.
Please note that NetScaler ADC version 11.1 contains the firmware fixes since its initial release. It will still, however, require the configuration changes described below.
In addition to the firmware upgrade, customers across all currently supported versions (including NetScaler ADC 11.1) should also implement the following configuration change. This configuration change is required for all deployments that utilize AAA-TM for authentication and data flow.
The following steps should be performed from the NSCLI:
- Ensure that the Load-Balancing virtual server IP address is non-routable from the external world:
add lb vserver <internal_vserver> SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost <authentication_hostname> -Authentication ON -authnVsName <auth_vserver> -authnProfile <auth_profile>
- Bind this virtual server entity to a service to allow traffic to be routed to the back-end server:
add service <backend_service> <ip_addr> HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO
bind lb vserver <internal_vserver> <backend_service>
- Configure a routable Content-Switching policy to identify valid FQDN(s) or IP address(es) in the enterprise subnet and bind this to a Content-Switching virtual server:
add cs vserver <cs_vserver> SSL <IP_addr> 443 -cltTimeout 180
bind ssl vserver <cs_vserver> -certkeyName <certkey>
add cs policy <cs_policy_host> -rule "HTTP.REQ.HOSTNAME.EQ(\"<valid FQDN/IP>\")"
bind cs vserver <cs_vserver> -policyName <cs_policy_host> -targetLBVserver <internal_vserver> -priority 100
As with all configuration changes, Citrix recommends that the customers verify the functionality within a test environment prior to releasing to production.
Acknowledgements
Citrix thanks Bouke van Laethem of KPN for working with us to protect Citrix customers
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
October 25th 2016 | Initial Publishing |
October 26th 2016 | Updated CVE ID, fixed firmware on NetScaler ADC 10.5 |
October 29th 2016 | Updated affected versions and products |