CVE-2013-4786 for LOM vulnerability

CVE-2013-4786 for LOM vulnerability

book

Article ID: CTX234367

calendar_today

Updated On:

Description

Mitigation recommendations for vulnerability CVE-2013-4786: 

1. Setup SSL on the LOM port to encrypt credentials during login. 

2. Follow the Secure Deployment Guide for Citrix ADC to isolate all management ports including the BMC management port on a management VLAN as is industry best practice. This reduces the threat to internal employees with access to the VLAN. Internet hackers cannot get in. The Citrix ADC appliance has three zones. Internet Zone, Intranet Zone, Management Zone. For an external hacker to get to the BMC, they would need to break through the Citrix ADC appliance or other Citrix Gateway to get there once VLANs are setup. 

3. Use the latest BMC image for their platform to ensure RAKP+ is in use. 

4. Security conscious customers can set a random 16 character password easily using any number of free password generators. The security company NortonLifeLock provides an example generator: 

https://identitysafe.norton.com/password-generator/ 

5. Follow the Secure Deployment Guide for Citrix ADC to setup RADIUS based centrally-controlled user/password and role based management allows quick network-wide changes to passwords, roles and users. The RADIUS/Active Directory admin can set the passwords for the BMC roles ensuring that a password generator is used, and that passwords expire. 

IPMI authentication is local and is separate from the network-based LDAP auth. 

The only currently credible defense against breaking IPMI auth, short of turning off the IPMI port (which isn’t possible currently), is having truly random 128 bit passwords. Computational capabilities of the LOM do not matter here since the attacker performs the computation offline and is only restricted by the capabilities of his own computational cluster. 

Isolating/air-gapping LOM to a separate management VLAN and setting 16 character random passwords would also assist in preventing attacks.
 

Remediation to CVE-2013-4786 on specific MPX platforms:

The recommended minimum LOM versions for the listed MPX model series can be obtained by installing these firmware images or newer:
12.1.60.21+
13.0.71.4+

LOM Version 5.56
MPX Model series1500015000-50G2600026000-50S26000-100G
 
LOM Version 4.61
MPX Model series59008900


1. Please update the LOM by following: 
https://docs.citrix.com/en-us/citrix-hardware-platforms/mpx/netscaler-mpx-lights-out-management-port-lom/upgrading-the-lom-firmware.html 

2. After upgrading to latest LOM/firmware, customers can and enable SMC RAKP in the LOM. Instructions:
https://docs.citrix.com/en-us/citrix-hardware-platforms/mpx/netscaler-mpx-lights-out-management-port-lom/rakp-topology-on-citrix-adc-appliances.html

Issue/Introduction

Mitigation recommendations for vulnerability CVE-2013-478 and recommended remediation on specific MPX platform series.

Additional Information

Secure Deployment Guide for Citrix ADC / Introduction to best practices for Citrix ADC MPX, VPX, and SDX security - https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html

Powered by Wolken Software