Technical Update Bulletin

Authentication Bypass Vulnerability in Citrix NetScaler

Please contact our Operations Center if we can assist you with addressing this critical Citrix Netscaler security issue requiring updates.

Sincerely,

Centrinet Support Team

support@centrinetcorp.com

678.373.0450

Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

DESCRIPTION OF PROBLEM

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

This vulnerability affects the following product versions:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.13 (except for build 41.24)
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 55.13
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 70.16
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 66.9
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e earlier than build 60.7010.e
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 earlier than build 135.18

MITIGATING FACTORS

In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.


WHAT CUSTOMERS SHOULD DO

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 41.24 and build 53.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 55.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 70.16 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 66.9 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e build 60.7010.e and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 build 135.18 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted network traffic only.

https://support.citrix.com/article/CTX227928

3rd party SSL Certificates to Expire

All publicly trusted SSL Certificates issued to internal names and reserved IP addresses will expire by November 1, 2015.

In November 2011 the CA/Browser Forum (CA/B) adopted Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, which took effect on July 1, 2012.

The requirements stated:

  • CAs should notify applicants prior to issuance that use of certificates with a Subject Alternative Name (SAN) extension or a Subject Common Name field containing a reserved IP address or internal server name has been deprecated by the CA/B.
  • CAs should not issue a certificate with an expiration date later than November 1, 2015 with a SAN or Subject Common Name field containing a reserved IP address or internal server Name.

To read the rest of the article from DigiCert click here.

What does this mean for you?

If you have a publicly issued certificate for a server/network resource using a name like:

  • web1
  • web1.internal-only-domain.com
  • web1.domain.local
  • web1.domain.internal
  • 192.168.x.x
  • 10.x.x.x
  • 172.16.x.x

That certificate will expire by Nov 1, 2015. This will most likely effect Exchange deployments due to the high number of sites that use internal domain names for their exchange resources. Internal CA’s certificates will continue to work. This will only effect how 3rd parties issue and deal with these types of certificates.

More information can be found at the following links:

Citrix StoreFront: Update Receiver for HTML5

Here is a short instructional guide to update your HTML5 receiver for StoreFront.

1. First you will need to verify your current version:

step1

2. Once verified, download the HTML5 update:

step2

 

 

3. Execute CitrixHTML5Client-x64:

step34. Now refresh your StoreFront console:

step4

 

You’re done!

April 2015 Chrome Update and Citrix StoreFront

With Google’s latest Chrome update (April 2015) they have disabled the Netscape Plugin Application Programming Interface (NPAPI). This change will have the following effects when accessing a Citrix StoreFront site:

  1. Users will be prompted to install Citrix Receiver every time they access the StoreFront website.
  2. When clicking a published application the browser will ask the user to save the ICA file. Once saved they can click the ICA file to launch the requested session.
  3. Workspace control will be disabled on Windows. This means that the “Follow Me” feature of Citrix will not work when using Chrome.

Here are the suggested workarounds:

  1. Receiver install prompt:
    • Modify the code within the StoreFront site to stop offering Chrome users client downloads.
    • Another option is to modify the code to create a permanent download link in the StoreFront website.
  2. Save ICA instead of launching the session automatically:
    • Download the ICA file and then use the option within the browser dialog bar to tell Chrome to “Always open files of this type”.
  3. Workspace control “Follow me”:
    • Modify the code in the StoreFront website to create an alternative method of enabling Workspace control. Be careful doing this in double-hop scenarios as it will break.
    • Double-hop = Client → XD session → Open Chrome installed locally in the session and go to the StoreFront site → Access the XenApp published application.

Further information, along with all of the necessary code to make the above changes, can be found here: http://blogs.citrix.com/2015/03/09/preparing-for-npapi-being-disabled-by-google-chrome/

Provisioning Services (PVS) and Daylight-Saving Time

With daylight-saving time beginning at week’s end (March 8 at 2am), we wanted to provide an overview of the issues that can occur with PVS delivered desktops and XenApp servers.

Some of the issues that occur as a result of the time change are:

  • Time not showing correctly in the Desktop or XenApp server,
  • Desktop failure to register with DDCs,
  • User inability to log on due to domain trust relationship issues caused by the VM/Domain time difference.

The Fix:

  1. Open up your PVS delivered image(s) in read/write mode after the time change has occurred on Sunday.
  2. Run w32tm /resync /nowait” at the command prompt.
  3. Set the image(s) back to read only, following your normal image preparation procedures.

Remember, you must reboot all PVS delivered desktops and servers after you make the above changes to ensure they receive the updated version.

Being proactive will help ensure a smooth Monday morning for all of your users!

More information on this issue can be viewed here: http://support.citrix.com/article/CTX200058

SSL Certification: SHA-1 to SHA-2

Google’s Chrome Web browser will be updating its requirements and phasing out support for older SSL encryption algorithms (SHA-1) expiring after Dec. 31, 2015. This change may affect websites with SHA-1 certifications.

The following godaddy.com article will bring you up to date on the details, and give instructions on how to get a replacement certification with the new SHA-2 encryption.

https://garage.godaddy.com/webpro/security/google-chrome-phasing-ssl-certs-using-sha-1/

With constantly evolving technology it’s important to stay ahead of the curve. By taking a proactive approach, and upgrading your SSL certification to the SHA-2 encryption algorithm, you will be better securing your website and applications. We recommend you update your SSL encryption as soon as possible.

XenDesktop 7.5 Performance Metrics Tool Issue

The XenDesktop 7.5 VDA Core Services desktop and all server patches released prior to September 2014 have issues that require an immediate fix. The VDA Core Services patches have a flaw in how they configure the Citrix performance counters. These flaws will prevent tools like Desktop Director HDX monitors (and the HDX Monitor Standalone tool) from working properly when attempting to view the performance metrics of a session.

Citrix has released a new patch to correct this. This new patch must be installed on top of any previous patches.

Patches for XenDesktop 7.5 desktop OS x64 VDA Core Services:

  • ICAWS750WX64008 will break the Citrix monitoring performance counters.
  • ICAWS750WX64011 will fix the performance counters, but does not contain any of the previous hotfixes (so you will need both).

Patch details can be viewed here:

Symptoms

This issue will show up as the following when viewing in each of their respective tools:

  • Desktop Director

Desktop

HDX Monitor 

HDX Monitor will refuse to connect to the target device.

  • Event Viewer

You will receive an event on the DDC that the Desktop Director web page was served from. See the example below.

Log Name:      Application

Source:        Citrix Director Service

Date:          10/13/2014 10:43:51 AM

Event ID:      5

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      XENDDC1.contoso.com

Description:

Failed to connect to data source ‘The broker service reported an error. See the event log for more information.’ (‘http://xenddc1.contoso.com/Citrix/BrokerAdminService/v2′).

Verify that the data source is available.

 User: ‘contoso.com\Admin_account’

Console operation: ‘Retrieving running applications details…’

 Additional diagnostics information (error message):

‘Failed to execute broker synchronous command=’GetIcaLatency’

Managing the iOS8 Headache

 

As you may know, Apple will release the newest version of iOS (iOS8) this week. This event usually translates to a headache day for IT admins as users clog up the business internet links with apple software update traffic. The good news is — there are a couple of ways to manage this.

Read more

Google Accounts and Passwords Released

A text file of nearly 5 million unique Google (xxx@gmail.com) accounts was released September 9 on a Russian forum. Reports are still limited, but it appears the accounts (most of Russian origin) were not hacked from Google and instead are a collection of login and password pairs that were phished, virus-captured, and gathered from non-Google sites and sources. Some reports indicate this list is old, and many of the passwords are non-functioning already.

With news of any type of leak of this size, it is a good idea to change all of your passwords, even if your account isn’t on the list. It also is not a good idea to use any sites that offer the ability to “check if you’re on the list.” Read more

CitrixOnline Go-To-xxxx and HeartBleed

As a follow up to my earlier post, Citrix has now released an official statement regarding their online services portfolio. The following products have been tested and confirmed safe from the Heartbleed bug. Read more