Cisco Small Business Smart and Managed Switches Denial of Service Vulnerability

A vulnerability in the IPv6 packet processing engine of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA

Security Impact Rating: High

CVE: CVE-2020-3363

Related:

  • No Related Posts

Cisco StarOS IPv6 Denial of Service Vulnerability

A vulnerability in the IPv6 implementation of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to an affected device with the goal of reaching the vulnerable section of the input buffer. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-ipv6-dos-ce3zhF8m

Security Impact Rating: Medium

CVE: CVE-2020-3500

Related:

  • No Related Posts

nFactor – Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on Citrix ADC

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

  1. 1st factor is configured for either Certificate or LDAP Authentication.

  2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

  3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

    User-added image

  3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

  4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

    User-added image

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation


Policies for this use-case

add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avnadd authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain aaatm.combind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXTbind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators.

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:

add authentication certAction ca -userNameField SubjectAltName:PrincipalName

add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase “cn=users,dc=aaatm,dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN

add authenticationpolicy ldap-new -rule true -action ldap-new

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow


3. Add Factor, this will be the name of the nFactor Flow


4. No schema needs to be selected for this configuration as the Cert Authentication doesn’t require a login schema and if the Authentication falls back to LDAP, the default login page is used.


5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy


For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy


7. Select the LDAP_Policy and then Add


For more information on creating LDAP Authentication see,Configuring LDAP Authentication

8. Click on Done this will automatically save the configuration.

9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE:Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

  1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAA Message 437 0 : "NFactor: Cert Auth: certificate is absent, falling back nFactor login"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAATM Message 438 0 : "LoginSchema policyeval did not return an active policy"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 : SPCBId 568 - ClientIP 10.252.112.163 - ClientPort 54500 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 439 0 : "core 2: ns_get_username_password: loginschema gleaned is default "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 440 0 : "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 441 0 : "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 442 0 : "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 443 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 444 0 : "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "Jul 30 21:09:11 <local0.info> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 : Extracted_groups "grp1,grp2,grp3,Group2,group1"
  1. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 127.0.0.2 07/30/2015:21:10:36 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 : SPCBId 596 - ClientIP 10.217.28.185 - ClientPort 57227 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session ReuseJul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 : SPCBId 578 - ClientIP 10.217.28.185 - ClientPort 57226 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 : SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 : SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAA Message 542 0 : "NFactor: Successfully completed cert auth, nextfactor is "Jul 30 21:11:02 <local0.info> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAATM LOGIN 543 0 : Context users@10.217.28.185 - SessionId: 37- User users - Client_ip 10.217.28.185 - Nat_ip "Mapped Ip" - Vserver 10.217.28.167:443 - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLVPN Message 544 0 : "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "

Related:

XenApp/XenDesktop USB Citrix Tested Device List

This article provides information regarding the USB devices used to test the generic USB remoting feature.

Note: Devices displayed are verified and any extra information required to configure them is included, with any limitations.

For device not given in below list, please refer Citrix Ready Marketplace.

Devices tested with XenDesktop 7.11 with Citrix Receiver for Windows 4.5. (see attached PDF for XenDesktop 7.6):

Device Type Win7, Win8, Win8.1, Win 10 Windows Server 2008 R2 Windows Server 2012 R2/2016
Optimized (Default) Generic Optimized(Default) Generic Optimized(Default) Generic
Mass Storage Device (PenDrive, USB Harddisk) Yes Yes Yes Yes Yes
Audio Device (Headset, Speaker) Yes Yes Yes Yes Yes
Webcam Device (Video Camera) Yes Yes Yes Yes Yes
SmartCard Readers * Yes Yes Yes
Keyboard * Yes Yes Yes Yes Yes
Mouse * Yes Yes Yes
3D Mouse Yes Yes
Scanner Yes Yes Yes Yes
Printer Yes Yes Yes Yes Yes
Phones (iOS) Yes Yes
Phones (Android) Yes Yes
Tablets (iOS)(Test with Ipad mini, Ipad3) Yes Yes
Tablets (Android) Yes Yes
Signature Pads (Wacom/Topaz) Yes Yes
Wacom Tablets Yes
DVD-Writer Yes Yes Yes Yes
USB 2.0 /3.0 hubs

Notes:

  • *Are restricted for usb redirection by GPO (recommended settings) Hub as a device is not redirected to VDA, however any devices plugged into hub will redirect seamlessly Modem Devices are blocked by the default policy MTP mode for Samsung devices gets policy restricted due to modem exposure to client.
  • Phones and Tablets are optimized by “Client USB Plug and Play device redirection” policy which is by default enabled for Windows Server OS only

For Server OS

The USB client drivers must be compatible with RDSH for Windows 2012 R2.

Non fully virtualized device such as Smart Card Reader has no USB support because these devices utilize the dedicated service running for session 0 (first session) on Windows Server VDA.

Mass Storage for Server OS is supported from 7.11 VDA.

Audio Device for Server OS is supported from Receiver 4.5 and VDA 7.8.

Encrypted USB redirection and Bitlocker to go devices are currently not supported with Server OS.

Device List

Overview of generic USB redirection support by USB device type (Virtual Delivery Agent for Desktop or Server OS).

Serial Number Make Model Notes/Comments
Mass Storage: For Server OS supported from 7.11 and safe eject from taskbar for server OS is not supported currently]
1 Sandisk 1GB Cruzer Micro U3 U3 autorun and eject features do not work within a xendesktop session
2 Sandisk 4GB Titanium U3 U3 autorun and eject features do not work within a xendesktop session
3 Sandisk MicroSD Card Reader (2Gb, 8Gb xD tested)
4 SanDisk 2GB Extreme III Compact Flash
5 Sandisk SDCZ64096A1 4GB Cruzer Micro with U3 Technology U3 autorun and eject features do not work within a xendesktop session
6 SanDisk SDCZ50 4G
7 SanDisk Cruzer Micro Skin 2GB
8 Kingston 1GB USB 2.0 Migo Personal
9 Kingston 1GB Secure Digital Flash Card
10 Kingston Data Traveller Mini
11 Kingston 4GB DataTraveler
12 Seagate USB Hard drive ST305004exd (1TB)
13 Seagate USB 3.0 Hard Drive 1TB (Sno. 122B657IM)
14 Lexar 1GB Flash Drive
15 Lexar USB Dongle (xD Card)
16 Lexar 2GB Jump drive
17 Lexar USB flash memory stick
18 Laguna USB device (CDROM + Flash drive/U3)
19 Trust 7 in 1 Card reader
20 Sumvision 3.5″ USB2.0 & eSATA enclosure
21 Corsair Flash Voyager 16 GB (Corsair)
22 FujiFilm xD-Picture Card 512MB
23 ioMEga Floppy plus 7-in-1 Card Reader Device drivers must be installed with an administrator privilege prior using this device.
24 PC Line PCL-EFD2X 3 1/2 Floppy Drive
25 Freecom FS-50 DVD +/- RW Does not work for Server OS
26 LaCie D2 Blu-Ray BluRay playback not supported over a network connection.
27 LG BE06 Blu-Ray/HD Player Super Multi Blue BluRay playback not supported over a network connection.
28 Microsoft 32MB Flash Drive
29 Belkin 256MB Mass Storage Device
30 Buffalo DVSM-PN58U2VB Device drivers must be installed with an administrator privilege prior using this device.
31 Lenovo USB2.0 memory stick
32 Transcend 16GB JetFlash 700 USB 3.0 Flash Drive
33 SSK USB3.0 8G/SFD201
34 Netac USB3.0 U903 8G
35 SAMSUNG SE-218CB DVD Writer Does not work for Server OS
36 SafeStick flash drive BLOCKMASTER BM9930
WebCams
1 Microsoft VX1000 LifeCam
2 Microsoft Lifecam VX-7000 The preview of video in Lync 2010 shows a black screen if device is connected to USB 3.0 port.
3 Microsoft Lifecam HD-3000
4 Logitech HD Pro C920 Sometimes, the device may appear in “Drives and Printers” on client even after launching a VDA session
5 Logitech C110
When a device is connected to VDA through the client, Sleep or hibernate action may be delayed on the Client machine.
6 Logitech QuickCam Pro 9000 Within session CPU usage might be high, when webcam is rediected to the VDA Session
7 Creative VF0520
8 Creative Live! Cam Notebook Webcam
9 Teclast TL-T838-NDE2S
10 Webcam Pro 9000
Incorrect webcam name may be shown in Devices tab in the Perference window.
11 HP True Vision Integrated webcam
Headsets/Speakers: [For Server OS enable audio through Generic USB from client policy, supported from Receiver 4.5 and XenApp / XenDesktop 7.8 ]
1 Logitech H330 (USB Headset)
2 Logitech S150 (USB Speakers)
3 Logitech H340 (USB Headset)
Audio experience may be unclear with Logitech H340 inside session
4 Plantronics Blackwire C435-M
5 Plantronics Blackwire C310-M
6 Plantronics Voyager Legend UC + BT300 (Bluetooth Headset + Bluetooth USB Adapter)
7 Plantronics Blackwire C320-M
8 SALAR KX235 USB headset-USB 2.0
HID style devices
1 Wacom Bamboo Fun A6 Wide Tablet Mouse class device. Blocked by default policy
2 Wacom Bambo One Mouse class device. Blocked by default policy
3 Wacom Bamboo touch tablet Mouse class device. Blocked by default policy
4 Bloomberg FreeBoard To use Bloomberg (Message) Key, Bloomberg Audio redirection has to be enabled.

If fingerprint scanner operation fails with high latency, then ICA custom channel has to be created for the scanner.
5 Bloomberg Starboard Requires two cables to be attached and for Server OS, enable Audio through Generic USB through the Client Policy
5 Vernier GoTemp Temperature Sensor
6 Vernier GoLink Multi Sensor
7 Kensington Orbit Mouse class device. Blocked by default policy
8 Microsoft Sidewinder X5 Mouse class device. Blocked by default policy, Requires Fingerprint driver locally
9 IBM KB with fingerprint reader Mouse class device. Blocked by default policy
Print/Scan Devices
1 Lexmark USB printer 800 series
2 Lexmark Multifunction USB printer scanner 1200 series
3 Canon Pixma MP620 -Multi Function Printer/Scanner
4 Canon iP5300 Printer
5 Canon CanScanLiDE 700F
6 Canon Lide 25 Colour Flatbed Scanner
7 Cannon Canon Pixma MP648
8 Canon CanoScan LiDE 110
9 HP ScanJet G3010
10 HP LaserJetP2014
11 HP DESKJET 2000
12 Epson Stylus DX4400 – multifunction AIO Printer/Scanner/Copier
13 WASP WCS3905 CCD barcode Scanner (USB) Displayed as a HID device, hence blocked by the default policy.
14 HP ScanJet Pro 3000S2 Twain 2.0 driver needs to be installed on client (Supported from 7.11)
Phone/PDA
1 Blackberry Pearl
2 Blackberry 8820
3 Blackberry 8320
4 Blackberry Curve 8900
5 Blackberry Curve 8520
6 Blackberry Curve 8900
7 Nokia N73 Mass storage mode working, PC Suite mode not available
8 Nokia N95 Mass storage mode working, PC Suite mode not available
9 Nokia 9500 Communicator Device can be visible on Receiver Toolbar by enabling the policy, but the device cant be redirected to the VDA session
10 HTC Tattoo
11 HTC Touch
12 Apple iPhone 3G Customers are not recommended to restore or upgrade the firmware on any Apple device. Device will remain in Restore mode until recovered on a physical machine.
13 Apple iPhone5 Customers are not recommended to restore or upgrade the firmware on any Apple device. Device will remain in Restore mode until recovered on a physical machine.
14 Polycom CX200 (Desktop Phone)
15 HP iPAQ 4150
16 Samsung Galaxy 4 MTP mode for samsung devices gets policy restricted due to modem exposed to client
17 Samsung Galaxy Core 2 MTP mode for samsung devices gets policy restricted due to modem exposed to client
18 Samsung Tablet MTP mode for samsung devices gets policy restricted due to modem exposed to client
HUBS: [Hubs are not supported as devices themselves however devices plugged into hubs work seamlessly]
1 Belkin 4-Port USB 2.0 Flex Hub
2 Plexus High Speed USB2.0 7 Port Powered Hub
3 Logitech 4 Port USB Hub
4 Dlink Dub-H4 USB 4 Port Hub
5 Belkin USB 2.0 4-Port Mini Hub
6 Belkin USB 4 PORT SLIM HUB (USB1.1)
7 Startech ST4202USBGB
8 Belkin 4-Port USB 2.0 Flex Hub
MODEM: [Modem Devices are blocked by the default policy]
1 LM Technologies Bluetooth EDR USB adapter
2 Trust USB Bluetooth Adaptor
3 Trust 56K USB Modem MD-1270
Security Devices
1 Microsoft Fingerprint Reader Win USB Only works with a local account and its known limitation of the vendor software
Digital Cameras
1 Canon PowerShot S70
2 Canon EOS 300D/Digital Rebel (Mass Storage)
3 Canon EOS 300D/Digital Rebel (PTP Mode)
4 Canon EOS 450D
5 Canon Ixus v3
6 Ricoh Capilio 500G Wide (Mass Storage)
7 Ricoh Capilio 500G Wide (Original Mode)
8 Nikon D70s (Mass Storage)
9 Nikon D70s (PTP Mode)
10 Fuji FinePix F31fd
Apple Devices: [ Customers are not recommended to restore or upgrade the firmware on any Apple device. Device will remain in Restore mode until recovered on a physical machine.]
1 Apple iPod Touch (16GB)
2 Apple iPod Shuffle (2GB)
3 Apple iPod Nano Ejecting an iPod Nano from within iTunes can take up to 3 minutes.
Other devices
1 Nipco USB Missile rocket launcher
2 Dictaphone Foot Control USB adapter
3 3DConnexion Space Navigator
4 3DConnexion Space Pilot Pro
5 3DConnexion Space Explorer
6 Startech SVID2USB2
7 Aigo DPF5170 (USB photo frame)
8 Plantronics Calisto 619 (Bluetooth Wireless Speakerphone + Bluetooth USB Adapter )
9 D-Link DBT-122 (Wireless USB Bluetooth Adapter)
10 Buffalo DVSM-PN58U2VB (USB DVD-RW) Does not work for Server OS
11 Wacom Signature Pad STU430 , STU 530
12 Wacom Tablet Intuos Pro Not supported for Server OS
13 Wacom interactive pen display DTU1031 Not supported for Server OS
14 Topaz Signature Pad T- LBK 460 Topaz driver is required on vda (if installation fails, extract driver package and then install driver Manually)
15 Philips Speech Mike Pro
USB host Controller for 3.0 port
1 Renesas Electronics USB 3.0 Host Controller Drivers
2 Microsoft USB Host Controller Drivers Supported from Windows 8 OS onwards.

Related:

  • No Related Posts

How Do I Block SSLv2 on NetScaler?

This article describes how to block SSLv2 on NetScaler.

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Use Case

SSL v2 protocol has many security vulnerabilities which makes it essential for a user to disable it and opt for stronger and more secure protocols such as TLS v1.1 / v1.2.

Introduction to SSL v2

SSL v2 (SSL 2.0) is a protocol created by Netscape in 1994. It was identified with many security vulnerabilities many of which were later resolved in SSL v3, which as well is impacted by security vulnerabilities.

Here is a list of some of the flaws in SSL v2:

  1. SSL v2 has a weak MAC (message authentication code) construction which uses 40 bit of encryption in export mode. It uses the MD5 hash function which makes it vulnerable to length extension attacks wherein an attacker can delete bytes from the end of messages.
  2. It is vulnerable to cipher suite attack as the handshake messages are not protected. In this attack, the attacker edits the list of cipher suite preferences to a lower cipher suite without any detection (in the hello messages). This forces the client and server to agree upon a weaker form of encryption than they otherwise would have chosen.
  3. Message authentication and message encryption use the same key. This can lead to a problem if the client and server negotiate a weak encryption
  4. Session terminated can be forged. A man-in-the-middle attacker can easily insert a TCP FIN to terminate the session. The receiving endpoint is unable to determine whether it is a legitimate end of session request or not thus resulting in an unwanted termination.
  5. SSL v2 does not follow chain certificate and does not support non-RSA algorithm. It only supports RSA key exchange which may not be the preferred option in many cases
  6. SSL v2 only supports one domain certificate with a single service. This is not a preferable option as it would not support virtual hosting for web servers.

Related:

How to Configure NetScaler MAS Simplified Audit Log Management

To configure NetScaler MAS simplified audit log management:

1. Navigate to System > Auditing > Syslog Messages.

User-added image

2. Under Syslog Messages you will see audit logs messages. You can choose to filter them based on Module, Event Type, or Severity.

User-added image

Additionally, you can click within the syslog message to gather information on what kind of module, event type any particular message was.

3. Module is selected and the module (GUI) gets highlighted:

User-added image

User-added image

5. You can use that to learn what modules, or events type, or severity you want to filter with and select them from the Filter By menu on the right hand side of the screen.

User-added image

4. Event Type gets selected (CMD_EXECUTED).

Related:

How to Test LDAP Authentication Settings on NetScaler Gateway Running 11.1 Version

From 11.1 builds there is a new feature to Test the connection between Netscaler and backend LDAP server.

In LDAP server profile we have below button now “Test Connection” which generates the traffic from Netscaler to backend LDAP server and gives the information as shown below about the connection:

To navigate to LDAP Server Profile: NetScaler > Security > AAA – Application Traffic> Policies > Authentication > Basic Policies > LDAP > Servers

User-added image

This is helpful to confirm if there is any issue in connectivity between NetScaler and LDAP server configured.

Related:

How Do I Setup TLS_FALLBACK_SCSV On NetScaler?

Use Case

Protect server against POODLE attack by preventing the protocol downgrade attack.

Introduction to TLS_FALLBACK_SCSV

POODLE attack is a man-in-the-middle attack in which an attacker takes advantage of the fall back behaviour of clients (including browsers) to attack servers which support SSL 3.0 and CBC encryption mode.

User-added image

Most SSL/TLS implementations are backward compatible with SSL 3.0 to interoperate with legacy systems. A POODLE attacker leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. He can trigger a connection failure and then force the use of SSL 3.0 and attempt an attack.

User-added image

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above, so disabling SSL 3.0 might not be possible. The solution to this problem is that the browsers and servers should implement TLS_FALLBACK_SCSV which makes downgrade attacks impossible. This is how it works – browsers support a downgrade mechanism in the form of Signaling Cipher Suite Value (SCSV). After a session fails during the initial handshake, the browser will retry, but attempts on version one lower than before. For example, after failing to connect to a server with the max version set to TLS 1.1, the client would retry with the max version set to TLS 1.0. This mechanism basically ensures connectivity but lowers down the security and makes the session vulnerable.

The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a “man in the middle attack” The server drops such handshakes.

Qualys SSL Labs, which test servers and browsers for SSL vulnerabilities, mandates a server to support TLS_FALLBACK_SCSV to get A+ rating.

Related:

ShareFile FTP Information

Citrix Content Collaboration, the advanced integration layer formerly attributed to ShareFile

ShareFile is compatible with most well-known FTP clients for Windows and Mac. By connecting to ShareFile via your FTP client, you can download or upload data to your account.

Note:

ShareFile acts as an FTP server and not as an FTP client. ShareFile does not automatically integrate with other FTP sites and servers directly.


ShareFile’s FTP feature supports TLS 1.2 connections.

For more information regarding ShareFile features and plan requirements, please consult the ShareFile Pricing page.

FTPS Support

ShareFile supports FTP transfers.

  • SFTP is not currently supported.

Information

Port Requirements

  • You can connect to ShareFile either via traditional FTP (port 21) or using an implicit SSL/TLS connection (port 990).
  • When an FTP or FTPS client connects to ShareFile, they will be using an outbound port in the range of 32768-57344. To enhance security, the connection randomly switches port numbers within this large range.
  • For information on whitelisting ShareFile IPs, click here.
  • Finding the IP of my server – You can find the IP of your account’s assigned FTP server using the “ping yoursubdomain.sharefileftp.com” command in the Windows Command Line menu. You can find your FTP server name within your ShareFile account under Personal Settings > Advanced Connections.

Limitations

  • A user can have 8 simultaneous connections. Attempting any more connections will result in an error. If you cannot close connections, you may do so by closing your FTP client.
  • Move and Copy functions are not supported. Changes made in this manner will not be reflected in the ShareFile web app.
  • ShareFile does not support the Rename function when moving files.
  • This feature does not support company credentials.
  • This feature is not currently available for data on customer-managed StorageZones.
  • This feature is not compatible with VDR accounts using the view-only feature.

—-chatbot ShareFile is compatible with most FTP clients for Windows and Mac. By connecting to ShareFile via your FTP client, you can download or upload data to your account. ShareFile supports FTP transfers. To know more about the port requirements, limitations, command rates, etc., refer to CTX207859 .

Related:

AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) usecase

For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.

Example 1:

For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF(“Finance”)

OR

AAA.USER.GROUPS.CONTAINS(“Finance”)

Related: