CVE-2016-9028 – Unauthorized Redirect flaw in Citrix NetScaler ADC could result in session hijack

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC:

  • Citrix NetScaler ADC version 11.0 Build 65.31/65.35F and later
  • Citrix NetScaler ADC version 10.5 Build 61.11 and later
  • Citrix NetScaler ADC version 10.1 Build 135.8 and later

These new versions can be downloaded from the following location:

Citrix strongly recommends that customers using affected versions of the NetScaler ADC upgrade to a version of the appliance firmware that contains the fixes for this issue as soon possible to avoid being exploited.

Please note that NetScaler ADC version 11.1 contains the firmware fixes since its initial release. It will still, however, require the configuration changes described below.

In addition to the firmware upgrade, customers across all currently supported versions (including NetScaler ADC 11.1) should also implement the following configuration change. This configuration change is required for all deployments that utilize AAA-TM for authentication and data flow.

The following steps should be performed from the NSCLI:

  • Ensure that the Load-Balancing virtual server IP address is non-routable from the external world:

add lb vserver <internal_vserver> SSL 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost <authentication_hostname> -Authentication ON -authnVsName <auth_vserver> -authnProfile <auth_profile>

  • Bind this virtual server entity to a service to allow traffic to be routed to the back-end server:

add service <backend_service> <ip_addr> HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -sp ON -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP NO

bind lb vserver <internal_vserver> <backend_service>

  • Configure a routable Content-Switching policy to identify valid FQDN(s) or IP address(es) in the enterprise subnet and bind this to a Content-Switching virtual server:

add cs vserver <cs_vserver> SSL <IP_addr> 443 -cltTimeout 180

bind ssl vserver <cs_vserver> -certkeyName <certkey>

add cs policy <cs_policy_host> -rule “HTTP.REQ.HOSTNAME.EQ(“<valid FQDN/IP>”)”

bind cs vserver <cs_vserver> -policyName <cs_policy_host> -targetLBVserver <internal_vserver> -priority 100

As with all configuration changes, Citrix recommends that the customers verify the functionality within a test environment prior to releasing to production.


  • No Related Posts

Leave a Reply