CVE-2016-9028 - Unauthorized Redirect flaw in Citrix NetScaler ADC could result in session hijack

An unauthorized redirect vulnerability has been identified in Citrix NetScaler ADC in the AAA-TM flow that could allow a remote attacker to obtain session cookies of a redirected AAA user.

This vulnerability does not impact NetScaler Gateway.

The following vulnerability has been addressed:

CVE-2016-9028: Unauthorized Redirect on Citrix NetScaler ADC could result in session hijack

The vulnerability affects the following versions of Citrix NetScaler ADC:

• Version 11.0 earlier than 11.0 Build 65.31/65.35F
• Version 10.5 earlier than 10.5 Build 61.11
• Version 10.1 earlier than 10.1 Build 135.8

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC:

• Citrix NetScaler ADC version 11.0 Build 65.31/65.35F and later
• Citrix NetScaler ADC version 10.5 Build 61.11 and later
• Citrix NetScaler ADC version 10.1 Build 135.8 and later

These new versions can be downloaded from the following location:

https://www.citrix.com/downloads/netscaler-adc.html

Citrix strongly recommends that customers using affected versions of the NetScaler ADC upgrade to a version of the appliance firmware that contains the fixes for this issue as soon possible to avoid being exploited.

Please note that NetScaler ADC version 11.1 contains the firmware fixes since its initial release. It will still, however, require the configuration changes described below.

In addition to the firmware upgrade, customers across all currently supported versions (including NetScaler ADC 11.1) should also implement the following configuration change. This configuration change is required for all deployments that utilize AAA-TM for authentication and data flow.

The following steps should be performed from the NSCLI:

• Ensure that the Load-Balancing virtual server IP address is non-routable from the external world:

add lb vserver <internal_vserver> SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost <authentication_hostname> -Authentication ON -authnVsName <auth_vserver> -authnProfile <auth_profile>

• Bind this virtual server entity to a service to allow traffic to be routed to the back-end server:

add service <backend_service> <ip_addr> HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

bind lb vserver <internal_vserver> <backend_service>

• Configure a routable Content-Switching policy to identify valid FQDN(s) or IP address(es) in the enterprise subnet and bind this to a Content-Switching virtual server:

add cs vserver <cs_vserver> SSL <IP_addr> 443 -cltTimeout 180

bind ssl vserver <cs_vserver> -certkeyName <certkey>

add cs policy <cs_policy_host> -rule "HTTP.REQ.HOSTNAME.EQ(\"<valid FQDN/IP>\")"

bind cs vserver <cs_vserver> -policyName <cs_policy_host> -targetLBVserver <internal_vserver> -priority 100

As with all configuration changes, Citrix recommends that the customers verify the functionality within a test environment prior to releasing to production.

Citrix thanks Bouke van Laethem of KPN for working with us to protect Citrix customers