Description of Problem
A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow an attacker to exploit the appliance to decrypt TLS traffic.
This vulnerability has been assigned the following CVE:
- CVE-2017-17382: TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13
This vulnerability does not allow an attacker to obtain the TLS private key.
In deployments where TLS private keys are shared between different devices, any of these vulnerable appliances could potentially be used to decrypt TLS traffic handled by the other devices. As a consequence, all vulnerable devices must be patched to address this issue.
Mitigating Factors
Citrix NetScaler ADC and NetScaler Gateway appliances that are configured to only use Perfect Forward Secrecy (PFS) cipher suites are not affected by this vulnerability.
What Customers Should Do
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and later
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and later
These new versions can be found on the Citrix website at the following locations:
https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/
Citrix strongly recommends that affected customers upgrade all of their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as soon as possible.
Acknowledgements
Citrix would like to thank the following for working with us to protect Citrix customers:
- Hanno Böck (hanno@hboeck.de)
- Juraj Somorovsky (juraj.somorovsky@rub.de) of Ruhr-Universität Bochum / Hackmanit GmbH
- Craig Young (vuln-report@secur3.us) of Tripwire VERT
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 12th December 2017 | Initial publishing |