Citrix NetScaler: Access privileged data - Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3181
         TLS vulnerabilities patched in Citrix NetScaler products
                             13 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix NetScaler Application Delivery Controller
                   Citrix NetScaler Gateway
Publisher:         Citrix
Operating System:  Network Appliance
                   Virtualisation
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17549 CVE-2017-17382 

Original Bulletin: 
   https://support.citrix.com/article/CTX230612
   https://support.citrix.com/article/CTX230238

Comment: This bulletin contains two (2) Citrix security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CTX230612

Information Disclosure in Citrix NetScaler Application Delivery Controller
(ADC) and NetScaler Gateway Client TLS Handshake

Applicable Products

  * NetScaler 12.0
  * NetScaler 11.1
  * NetScaler 11.0
  * NetScaler 10.5
  * NetScaler Gateway 12.0
  * NetScaler Gateway 11.1
  * NetScaler Gateway 11.0
  * NetScaler Gateway 10.5

Description of Problem

A vulnerability has been identified in the Citrix NetScaler Application
Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could result
in the disclosure of cleartext traffic from the backend client TLS handshake. 

This vulnerability only affects connections between a Citrix Netscaler ADC or
NetScaler Gateway virtual appliance and a backend server where both TLS with
client certificates is enabled and where a Diffie-Hellman Ephemeral (DHE) key
exchange is used. 

Citrix NetScaler MPX and NetScaler SDX hardware appliances are not impacted by
this vulnerability.

This vulnerability has been assigned the following CVE:

  * CVE-2017-17549: Information Disclosure in Citrix NetScaler Application
    Delivery Controller (ADC) and NetScaler Gateway Client TLS Handshake

This vulnerability affects the following versions of Citrix NetScaler ADC and
NetScaler Gateway virtual appliances:

  * Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build
    53.22
  * Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build
    56.19
  * Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build
    71.22
  * Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build
    67.13

- -------------------------------------------------------------------------------

Mitigating Factors

In deployments where TLS with Client Certificates is not used, or where DHE key
exchange is not used, the virtual appliances are not impacted.

- -------------------------------------------------------------------------------

What Customers Should Do

This vulnerability has been addressed in the following versions of Citrix
NetScaler ADC and NetScaler Gateway:

  * Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and
    later
  * Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and
    later
  * Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and
    later 
  * Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and
    later

These new versions can be found on the Citrix website at the following
locations:

https://www.citrix.com/downloads/netscaler-adc/

https://www.citrix.com/downloads/netscaler-gateway/

Citrix recommends that affected customers upgrade their vulnerable NetScaler
appliances to a version of the appliance firmware that contains a fix for this
issue as part of their normal patching schedule.

- -------------------------------------------------------------------------------

Acknowledgements

Citrix thanks the IBM Security Team for working with us to protect Citrix
customers

- -------------------------------------------------------------------------------

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at  http://support.citrix.com/.

- -------------------------------------------------------------------------------

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at  https://www.citrix.com/support/open-a-support-case.html. 

- -------------------------------------------------------------------------------

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document: CTX081743
- - Reporting Security Issues to Citrix

- -------------------------------------------------------------------------------

Changelog

+-----------------------------------------------------------------------------+
|Date                                  |Change                                |
|--------------------------------------+--------------------------------------|
|12th December 2017                    |Initial publishing                    |
+-----------------------------------------------------------------------------+


- -------------------------------------------------------------------------------

CTX230238

TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery
Controller (ADC) and NetScaler Gateway

Applicable Products

  * NetScaler 12.0
  * NetScaler 11.1
  * NetScaler 11.0
  * NetScaler 10.5
  * NetScaler Gateway 12.0
  * NetScaler Gateway 11.1
  * NetScaler Gateway 11.0
  * NetScaler Gateway 10.5

Description of Problem

A vulnerability has been identified in the Citrix NetScaler Application
Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow
an attacker to exploit the appliance to decrypt TLS traffic. 

This vulnerability has been assigned the following CVE:

  * CVE-2017-17382: TLS Padding Oracle Vulnerability in Citrix NetScaler
    Application Delivery Controller (ADC) and NetScaler Gateway

This vulnerability affects the following versions of Citrix NetScaler ADC and
NetScaler Gateway:

  * Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build
    53.22
  * Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build
    56.19
  * Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build
    71.22
  * Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build
    67.13

This vulnerability does not allow an attacker to obtain the TLS private key. 

In deployments where TLS private keys are shared between different devices, any
of these vulnerable appliances could potentially be used to decrypt TLS traffic
handled by the other devices. As a consequence, all vulnerable devices must be
patched to address this issue.

- -------------------------------------------------------------------------------

Mitigating Factors

Citrix NetScaler ADC and NetScaler Gateway appliances that are configured to
only use Perfect Forward Secrecy (PFS) cipher suites are not affected by this
vulnerability.

- -------------------------------------------------------------------------------

What Customers Should Do

This vulnerability has been addressed in the following versions of Citrix
NetScaler ADC and NetScaler Gateway:

  * Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and
    later
  * Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and
    later
  * Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and
    later 
  * Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and
    later

These new versions can be found on the Citrix website at the following
locations:

https://www.citrix.com/downloads/netscaler-adc/

https://www.citrix.com/downloads/netscaler-gateway/

Citrix strongly recommends that affected customers upgrade all of their
vulnerable NetScaler appliances to a version of the appliance firmware that
contains a fix for this issue as soon as possible.

- -------------------------------------------------------------------------------

Acknowledgements

Citrix would like to thank the following for working with us to protect Citrix
customers:

  * Hanno Bock (hanno@hboeck.de)
  * Juraj Somorovsky (juraj.somorovsky@rub.de) of Ruhr-Universit?t Bochum /
    Hackmanit GmbH
  * Craig Young (vuln-report@secur3.us) of Tripwire VERT

- -------------------------------------------------------------------------------

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at  http://support.citrix.com/.

- -------------------------------------------------------------------------------

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at  https://www.citrix.com/support/open-a-support-case.html. 

- -------------------------------------------------------------------------------

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document: CTX081743
- - Reporting Security Issues to Citrix

- -------------------------------------------------------------------------------

Changelog

+-----------------------------------------------------------------------------+
|Date                                  |Change                                |
|--------------------------------------+--------------------------------------|
|12th December 2017                    |Initial publishing                    |
+-----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjC0p4x+lLeg9Ub1AQj4ThAAoMNZc/h6Hxv1ONbJiuXocIZTDnK7/IU+
8Lbo8L9w3z6gZevMnSyJeT0ohw4lf4jGLXyjx77sNTA1biW70BsfhsFnmnhhoJ77
E0k4nRQTPamL+f7Q0f/HPpB5Fk9MEuBl6mtF+dFz1y3clU7kb05AX4rQZNZUHZVp
FXr485UG4beD8TPQkRaQbxflHUmvm+/u7BzH+rvFZNsFWeQ0QuDKgfczxLHs69la
Mfizz5mAY0L+RCHJ5XaOznlYDgNwO62+MELIxFIfDWt9o6sf92VxBIXT2WNOs8LE
XXRmGo1BwzIJUj7z1BN5FjLiZGskEQdTk/FzLRbMg9B17uXWpYV691pA6g66Lcar
tcT4uHAKLZOxuut3zmd1qxW7pzjSpVILrOXc46S/0B7Wk7O91agdYMmaJ58B/IWz
CNiBTvpR32LaDCQ1nS2S5g8h9FM8vQnKoZnZR2XmhlpxqI7b0RyqaIBFH3YF0Ix+
PKm6b+NH4+C2ciycZlk/rlx0mM5OUFfuhREo0zn/ijS/o3BcneD0WUnh1uVvRk9B
8vM/KXAPQ5J0Wm9J6Oc5pe1ivOe0fC3Lrede+YV1eGxQ3FkCOg4ifXCWrUFIPdXQ
S7KRw/Rn0wPXg4YWUzhLmIg1ayfkjkSmWjXCK5QxcU8zz0PSBiaMtsWigbN3tcTU
iDWlbJkXZU4=
=/27I
-----END PGP SIGNATURE-----