PCI Security vulnerability scanners reports that NetScaler-hosted virtual servers using CookieInsert persistence are vulnerable due to not having the Secure flag set on the NSC_ persistence cookie even though the useSecuredPersistenceCookie option is enabled on the virtual servers.

Example CVEs: CVE-2004-0462, CVE-2008-3663, CVE-2008-3662, CVE-2008-0128
Qualys QID: 150122

This vulnerability alert is a false positive, provided that the NetScaler is configured with the useSecuredPersistenceCookie option, in conjunction with a reasonably complex cookiePassphrase.

Additionally, Cookie Persistence cookies (which, by default, start with NSC_ ) do not contain any session-identifiable or authentication information. They only instruct the NetScaler on which backend server the connection is persistent to, meaning that the cookie cannot be used to spoof a connection or user.

Note: Prior to NetScaler 10.5 build 55.8, the useSecuredPersistenceCookie option was unavailable. On these builds, it is recommended to upgrade or to at a minimum utilize the SSL protocol with any virtual servers that use Cookie Insert persistence.

Problem Cause

• Vulnerability scans report on the Secure flag of cookies, which signals the browser to not serve the cookie unless the connection is SSL-encrypted.  The vulnerability scan does not identify applications that use proprietary encryption to protect the contents of the cookie.
• useSecuredPersistenceCookie option instructs the NetScaler to use proprietary encryption (using supplied passphrase) to encrypt cookie contents, which is a different modality than the vulnerability scans check for.

• Simplified definition of cookie Secure flag: https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
• Related RFC: http://tools.ietf.org/html/rfc6265#page-21 (section 4.1.2.5)
• Documentation on Cookie Persistence and the useSecuredPersistenceCookie option: http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-persistence/http-cookie-persistence.html