ESB-2018.1478 - [Appliance] Citrix NetScaler products: Root compromise - Unknown/unspecified 2018-05-15

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1478
   Vulnerability in Citrix NetScaler Application Delivery Controller and
 NetScaler Gateway leading to arbitrary code execution and host compromise
                                15 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix NetScaler Application Delivery Controller
                   Citrix NetScaler Gateway
Publisher:         Citrix
Operating System:  Network Appliance
Impact/Access:     Root Compromise                 -- Unknown/Unspecified
                   Execute Arbitrary Code/Commands -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7218  

Original Bulletin: 
   https://support.citrix.com/article/CTX234869

- --------------------------BEGIN INCLUDED TEXT--------------------

CTX234869

Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler
Gateway leading to arbitrary code execution and host compromise

Security Bulletin | Critical | 0 found this helpful
| Created: 14 May 2018 | Modified: 14 May 2018

Applicable Products

  * NetScaler Gateway 12.0
  * NetScaler Gateway 11.1
  * NetScaler Gateway 11.0
  * NetScaler Gateway 10.5

Description of Problem

A flaw has been identified in the AppFirewall feature of Citrix NetScaler
Application Delivery Controller (ADC) and Citrix NetScaler Gateway that could
result in arbitrary code execution and host compromise.

The following vulnerability has been addressed:

CVE-2018-7218 (Critical): Vulnerability in Citrix NetScaler Application
Delivery Controller and NetScaler Gateway leading to arbitrary code execution
and host compromise

The vulnerability affects the following versions of Citrix NetScaler ADC and
NetScaler Gateway:

* Version 12.0 earlier than 12.0 Build 57.24

* Version 11.1 earlier than 11.1 Build 58.13

* Version 11.0 earlier than 11.0 Build 71.24

* Version 10.5 earlier than 10.5 Build 68.7

- -------------------------------------------------------------------------------

Mitigating Factors

Only Citrix NetScaler ADC and NetScaler Gateway appliances that have been
configured to use the AppFirewall functionality are affected by this
vulnerability.

As a temporary workaround, customers using the AppFirewall feature may
reconfigure the profile settings to only process HTML traffic ? 

set appfw profile <profilename> ?type HTML

A full explanation of configuration options and steps is available here.

Please note that this may involve potential functionality loss depending on
your deployment. Reconfiguring the Citrix NetScaler ADC or NetScaler Gateway
appliance according to these instructions will disable any previously
configured XML checks.

 

- -------------------------------------------------------------------------------

What Customers Should Do

This vulnerability has been addressed in the following versions of Citrix
NetScaler ADC and NetScaler Gateway:

* Citrix NetScaler ADC and NetScaler Gateway version 12.0 Build 57.24 and later

* Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 58.13 and later

* Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 71.24 and later

* Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 68.7 and later

Citrix NetScaler ADC and NetScaler Gateway version 10.1 are not planned to be
updated as part this issue. Customers on version 10.1 should plan to move to a
later version to receive the latest security updates.

These new versions can be downloaded from the following locations:

https://www.citrix.com/downloads/netscaler-adc.html

https://www.citrix.com/downloads/netscaler-gateway.html

Citrix strongly recommends that customers using affected versions of NetScaler
ADC and NetScaler Gateway to upgrade to a version of the appliance firmware
that contains the fixes for this issue as soon as possible.

 

- -------------------------------------------------------------------------------

Acknowledgements

Citrix thanks Mathias Morbitzer and Dennis Titze of Fraunhofer AISEC for
working with us to protect Citrix customers.

- -------------------------------------------------------------------------------

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at  http://support.citrix.com/.

- -------------------------------------------------------------------------------

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at  https://www.citrix.com/support/open-a-support-case.html. 

- -------------------------------------------------------------------------------

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For guidance on how to report
security-related issues to Citrix, please see the following document: CTX081743
- - Reporting Security Issues to Citrix

- -------------------------------------------------------------------------------

Changelog

+-----------------------------------------------------------------------------+
|Date                         |Change                                         |
|-----------------------------+-----------------------------------------------|
|May 14 2018                  |Initial Publishing                             |
+-----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvpe7Yx+lLeg9Ub1AQiocA//Y4s7KGj4QMUkYU8IJXtPkYENDVutDSQA
XWtPLg9APrScsjNF6P0JWf8eNlPOaY/wfNM+LaOvaySYXCDKbp3C3+Igv2WgCugW
aWz0F8KLwrXfOGLItP5U1r7VWKGqCla54QksTlQUIQSQkQuACmtucktBzeYvXKr3
rsgWxGDQ16Sv8KE95a4eZUmRje/JeplMPKJuVYw/s3dNxATICauhQ48nd34Oo3ST
dW//OSohYpQvnT4ov/V5yk+j2pXcpREWm/T8RD1wicJ6NOcCHBhhj7O5dsAuQ4u1
48n2qeAi/WChtrc5Sch9cmIF1UpAzDjSQgTlS5ndQMU0EO07sWcHkL6nGSSLkrun
Y+S0vEM2EeJGn47MYEP6fYcbXPsjQgvLNeuwCkfosKyzE5G5FjUjjLQMh0IxYO8+
qFMIWp6ONjnKYBZRqZAZFtjkXFmNffVO4xL3WrFJCwXy5nWLaSV1jUtrgsAShNGX
LtisIraC/Iv9Y0XJEAlrHb3VHQ+xbq3qqLe/P5FUKT71Y/dNbYTq7b8s/YFP4GLL
RBRX/JnwXpPjXIs2hES2SU46oGPB6MAub0A3F5ejx9kcEHZMCteDLtz7M/LrURJ1
+u7pq3zXqOqYHSyR5mwRH6OEEvPUge99UJjchMfv8zfAmUPVWP6Liu8ms2Mj8poR
Wsj1w+eMpyo=
=/ZGd
-----END PGP SIGNATURE-----

« Back to bulletins