Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware

A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler-based hardware appliances:

• Citrix NetScaler Application Delivery Controller (ADC)
• Citrix NetScaler Gateway
• Citrix NetScaler Service Delivery Appliance
• Citrix CloudBridge (now NetScaler SD-WAN)
• Citrix Command Center Appliance
• Citrix NetScaler T1 (formerly Citrix ByteMobile)

The following vulnerabilities have been addressed:

CVE-2013-3607 (High): Stack-based Buffer Overflow

CVE-2013-3608 (High): Improper Input Validation

CVE-2013-3609 (High): Improper Privilege Management

CVE-2013-3619 (High): Static Encryption Keys

CVE-2013-3620 (High): Hardcoded WSMan Credentials

CVE-2013-3621 (High): Buffer overflow in login.cgi

CVE-2013-3623 (High): Buffer overflow in close_window.cgi CGI application

CVE-2013-3622 (High):  Buffer overflow in logout.cgi CGI application

CVE-2013-4421 (Medium): Denial of service caused by 'buf_decompress()' function

CVE-2013-4434 (Medium): User-enumeration possible due to timing error during authentication

CVE-2014-3508 (Medium): Information leak in pretty printing functions

CVE-2014-3509 (Medium): Race condition in ssl_parse_serverhello_tlsext

CVE-2014-3511 (Medium): OpenSSL TLS protocol downgrade attack

CVE-2014-3567 (High): Session Ticket Memory Leak

CVE-2014-3566 (Low): SSL 3.0 Fallback protection (POODLE)

CVE-2014-3568 (Medium): Build option no-ssl3 is incomplete

CVE-2014-3569 (Medium): no-ssl3 configuration sets method to NULL

CVE-2014-3572 (Medium): ECDHE silently downgrades to ECDH

CVE-2014-3570 (Medium): Bignum squaring may produce incorrect results

CVE-2014-8275 (Medium): Certificate fingerprints can be modified

CVE-2015-0204 (Medium): RSA silently downgrades to EXPORT_RSA

CVE-2015-0205 (Medium): DH client certificates accepted without verification

CVE-2015-0286 (Medium): Segmentation fault in ASN1_TYPE_cmp

CVE-2015-0287 (Medium): ASN.1 structure reuse memory corruption

CVE-2015-0292 (High): Base64 decode buffer overflow

CVE-2015-0293 (Medium): DoS via reachable assert in SSLv2 servers

CVE-2015-0209 (Medium): Use After Free following d2i_ECPrivatekey error

CVE-2015-0288 (Medium): X509_to_X509_REQ NULL pointer dereference

CVE-2015-4000 (Low): DHE man-in-the-middle protection (Logjam)

CVE-2015-1788 (Medium): Malformed ECParameters causes infinite loop (CVE-2015-1788)

CVE-2015-1789 (High): Exploitable out-of-bounds read in X509_cmp_time

CVE-2015-1792 (Medium): CMS verify infinite loop with unknown hash function

CVE-2015-1791 (Medium): Race condition handling NewSessionTicket 

The vulnerabilities mentioned above have varying levels of potential impact, the most severe of which allow a remote unauthenticated attacker to access sensitive information, cause a denial of service, or execute arbitrary code as a privileged user. Please note that there are other vulnerabilities mentioned above of equal or lesser severity that are fixed in the latest firmware.

These vulnerabilities affect the following versions of the LOM firmware:

8xxx-based and T1010-based NetScaler MPX/SDX appliances, CB2000 and CB3000 CloudBridge appliances with LOM versions earlier than version 3.21.

11500/13500/14500/16500/18500/20500, 115xx, 17550/19550/20550/21550-based and T1100-based NetScaler MPX/SDX appliances, CB4000 and CB5000 CloudBridge appliances with LOM versions earlier than version 3.39.

22xxx-based and T1200-based NetScaler MPX/SDX appliances with LOM versions earlier than version 3.24.

14xxx and 25xxx-based and T1120 and T1300-based NetScaler MPX/SDX appliances with LOM versions earlier than version 4.08.

These vulnerabilities are only possible through the LOM Ethernet port. Customers who have not connected the LOM Ethernet port on their appliances remain unaffected.

When deployed in line with Citrix NetScaler Secure Deployment recommendations, access to the vulnerable LOM Ethernet port would be limited to trusted users, and the risks presented by these issues would be greatly reduced.

These vulnerabilities have been addressed in the following versions of the LOM firmware:

• LOM firmware version 3.21 for 8xxx-based and T1010-based NetScaler MPX/SDX appliances, CB2000 and CB3000 CloudBridge appliances. Please note that appliances manufactured on or later than Jan 15, 2016 already contain LOM firmware version 3.21.
• LOM firmware version 3.39 for 11500/13500/14500/16500/18500/20500, 115xx, 17550/19550/20550/21550-based and T1100-based NetScaler MPX/SDX appliances, CB4000 and CB5000 CloudBridge appliances. Please note that appliances manufactured on or later than Jan 15, 2016 already contain LOM firmware version 3.39.
• LOM firmware version 3.24 for 22xxx-based and T1200-based NetScaler appliances. Please note that appliances manufactured on or later than June 7, 2016 already contain LOM firmware version 3.24.
• LOM firmware version 4.08 for 14xxx and 25xxx-based and T1120 and T1300-based NetScaler MPX/SDX appliances. Please note that appliances manufactured on or later than April 21, 2016 already contain LOM firmware version 4.08.

Customers on all platforms are recommended to verify the LOM firmware version on their deployment. Citrix strongly recommends that affected customers follow the instructions in the following link to update their BMC firmware to a version that contains the fixes for these issues:

https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade.html