Citrix Security Advisory for RSA Export Key ‘FREAK’ Vulnerability
Article ID: CTX200491
Updated On:
Description
Overview
A vulnerability has been recently disclosed that could result in attackers being able to intercept and modify SSL/TLS encrypted traffic to servers that support export cipher suites.
What Citrix is Doing
Citrix is actively analyzing the impact of this issue on currently supported products. As an initial mitigation step Citrix recommends configuring any exposed SSL/TLS server end points to disable any export cipher suites.
Configuration Guidance
Customers should contact their normal Citrix Support representative for advice on configuring any SSL/TLS servers to mitigate this issue. Specific configuration guidance on disabling export cipher suites for Internet facing server products will be added to this document in the near future.
Citrix NetScaler ADC & NetScaler Gateway
SSL vServer Cipher Configuration:
By default, the ciphers available for use by NetScaler ADC and NetScaler Gateway SSL vServers do not contain EXPORT ciphers. However, if EXPORT ciphers have been configured for use, it is possible to manually remove these from use on a per vServer basis using the following command from the NSCLI:
set ssl vserver <vServer name> -eRSA DISABLED
Management Interface Cipher Configuration:
By default, the ciphers available for use by the NetScaler ADC and NetScaler Gateway management interface (NSIP) do not contain EXPORT ciphers. However, if EXPORT ciphers have been configured for use, it is possible to manually remove these from use on the NSIP using the following NSCLI command:
set ssl service nshttps-127.0.0.1-443 -eRSA DISABLED (for IPv4)
set ssl service nshttps-::1l-443 -eRSA DISABLED (for IPv6)
Citrix NetScaler Service Delivery Appliance
In configurations where the NetScaler Service Delivery Appliance Service VM (SVM) is configured to act as a TLS client, this vulnerability may impact the SVM.
This vulnerability has been addressed in the following new versions of the SVM:
- Version 10.5 Build 57.7 and later
- Version 10.5.e Build 57.7005.e and later
- Version 10.1 Build 133.9 and later
These new versions of the SVM can be obtained as part of the SDX virtual bundle from the Citrix website at the following address:
Citrix CloudPlatform
If SSL has been enabled for the CloudPlatform web interface, export ciphers should be disabled. This may be done by following the instructions in this article:
Citrix Command Center
Citrix Command Center is impacted by this vulnerability. A new version of the product, 5.2 Build 44.8, has been released to address this vulnerability. This can be found at the following address:
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
|---|---|
| March 4th 2015 | Initial bulletin publishing |
| March 13th 2015 | Addition of NetScaler ADC and Gateway section |
| June 17th 2015 | Addition of CloudPlatform section |
| October 13th 2015 | Addition of Command Center and NetScaler Service Delivery Appliance sections |
