book
Article ID: CTX235592
calendar_today
Updated On:
Description
Outlook Stuck in "Connecting", and repeatedly prompting for authentication.
For testing:
Switch to MAPI over HTTP works
Using SSL Bridge works
If outlook connects directly to back-end Server it works.
Looking at the symptoms it looked like a HTTP processing issue on NetScaler, trace showed the following:
For reference Pink is Client side traffic and Green in Backend
Outlook Sends the auth information in frame #7273, with a content-length of 1GB and the Subsequent packet #7311 has 104 bytes of data.
This auth info was not being forwarded to the back-end server, this was the problem
Resolution
In summary: 1. We know the policy is causing the issue, as unbinding it solves the problem.
2. Removing the policy entirely from global binding induces a risk of vulnerable servers behind NetScaler can be compromised -
customer should be made aware of that. Possible solutions:1. Unbind the policy and accept the risk.
2. Create another responder policy on top (lower priority no) of existing with action NOOP and GotoExpression END with an expression that matches the outlook RPC traffic so the problematic policy is not hit, per documentation available online this is safe because the vulnerability seems to affect Linux only and exchange servers are on windows, however customer needs to review this on their own to determine risk / feasibility.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-62713. Unbind this policy and use NetScaler AppFirewall Signatures to protect against the vulnerability.
Problem Cause
The Following responder policy was bound globally to protect against ShellShock Vulnurability. This policy needs to inspect 1000 Bytes of the http body as per definition. However in this case, client sent 1GB as content-size and only 104 bytes in the subsequent packet so NetScaler is waiting for the rest of the data to make up 1000-104 = 896 bytes to evaluate the policy and buffering the packet instead of forwarding it.
add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP -logAction ShellShock_Log