SEC Consult Vulnerability Lab Security Advisory < 20131003-0 > ======================================================================= title: nsconfigd NSRPC_REMOTECMD Denial of service vulnerability product: Citrix NetScaler vulnerable version: NetScaler 10.0 (Build <76.7) fixed version: NetScaler 10.0 (Build >=76.7) not affected: NetScaler 10.1 and 9.3 impact: Critical homepage: http://www.citrix.com found: 2012-12-10 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
Vendor/product description: --------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Vulnerability overview/description: ----------------------------------- A vulnerability was found in the nsconfigd daemon (TCP port 3008 (SSL) and 3010). This daemon can be crashed by sending a specially crafted message. No prior authentication is necessary. A watchdog daemon (pitboss) automatically restarts nsconfigd after the first six crashes and then reboots the appliance. By sending just a few packets the appliance can be kept in a constant reboot loop resulting in total loss of availability. Proof of concept: ----------------- The nsconfigd daemon can be crashed for six times using the following Python script. Subsequently the appliance reboots. Detailed proof of concept exploits have been removed for this vulnerability. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX (Build 70.7.nc), which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2013-03-27: Contacting vendor through sec...@citrix.com. 2013-03-28: Vendor provides encryption key. 2013-03-28: Sending advisory via secure channel. 2013-03-28: Vendor confirms receipt of advisory. 2013-04-08: Requesting status update. 2013-04-19: Requesting status update (again). 2013-04-22: Vendor confirms issues, is "in the process of scheduling required changes". 2013-06-05: Requesting status update. 2013-06-25: Requesting status update (again). 2013-06-25: Vendor is still "in the process of scheduling changes". 2013-08-14: Requesting status update (again) and setting deadline (Oct. 3rd). 2013-09-18: Vendor provides release dates for the update (Oct. 1st and 2nd). 2013-10-03: SEC Consult releases coordinated security advisory. Solution: --------- Update to Citrix NetScaler 10.0 Build 76.7. Vendor information can be found at: http://support.citrix.com/article/ctx139017 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck / @2013