Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability

A vulnerability in the Link Layer Discovery Protocol (LLDP) implementation for Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when the device unexpectedly reloads.

The vulnerability is due to improper input validation of certain type, length, value (TLV) fields of the LLDP frame header. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface on the targeted device. A successful exploit could allow the attacker to cause the switch to reload unexpectedly.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-fxnx-os-dos

Security Impact Rating: High

CVE: CVE-2018-0395

Related:

  • No Related Posts

Citrix Gateway displays error “HTTP/1.1 504 Gateway Timeout” while connecting to backend resources

When connecting to the Backend in a Citrix Gateway solution. you could face an issue where the Gateway is sending an error to the client when accessing the backend services/resources.

Analyzing the ADC/Gateway traces you could identify that the Gateway has responded with the error without even initiating the connection to the backend server.

Request:

POST /SecureBrowse/https/gateway.reprolab.com/oauth2/token HTTP/1.1

Host: gateway.reprolab.com:444

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

deviceId: 00000000-0000-0000-0000-000000000000

Cookie: NSC_AAAC=bd27ec1fag5b4937a55abc3a06845b260c3a01d41111111158455e445a4a42

Accept: */*

Connection: keep-alive

Content-Length: 143

User-Agent: SO/1.0 (SecureBrowse; build:1.5; iOS 11.4.0)

Accept-Language: en-US;q=1.0

Authorization: Basic abcWEcsdsWs1I1SFZNTF95UGR1aHZ4a111111111111111111112RveFBEZXVDMlVh

Accept-Encoding: gzip;q=1.0, compress;q=0.5

channel=2&deviceId=00000000-0000-0000-0000-000000000000&grant_type=password&password=Pa$$woRD&scope=openid&subChannel=1&username=mytestuser

Response:

HTTP/1.1 504 Gateway Timeout

Content-Length: 58

Connection: close

Cache-Control: no-cache,no-store

Pragma: no-cache

<html><body><b>Http/1.1 Gateway Timeout</b></body> </html>

Related:

Configuring PVS for High Availability with UEFI Booting and PXE service

Configuring PVS for High availability with UEFI booting and PXE service

Requirements and configuration:

  1. PVS 7.8 or above installed on all servers
  2. PXE service configured to run on multiple PVS servers
  3. User-added image
  4. Option 11 configured on the DHCP server for multiple PVS servers (or option 17 configured with Round Robin DNS entry)
  5. User-added image
  6. Vdisk stores configured with multiple PVS servers serving those stores:
  7. User-added image

Additional information:

We can split a PVS target booting into 4 tasks.

Task 1

PXE client on target device getting an IP address and scope options.

IP address will come from DHCP server.

Scope options there are two options:

  • Scope options for PXE are defined on dhcp server
Options 66 and 67 specify the server name and file name for tftp retrieval of the pxe bootstrap file
  • PXE server (option 60, doesn’t need to be configured)
PXE server responds to DHCP request with PXE information, giving its own server name, and the appropriate file name for tftp retrieval of the pxe bootstrap file

Task 2

PXE client retrieves boot file via TFTP

Option 66&67:

  • PXE client retrieves boot file from TFTP server as specified in scope options, this TFTP address can be load balanced and configured for HA with Netscaler.
Round robin can be used for also load balancing, but not for HA, as there is no recovery if one tftp server is offline

PXE server:

  • The PXE server which responded first is used by PXE client.
PXE server specifies itself as the source tftp server, and provides the appropriate file name
  • In PVS 7.8 and above, PXE service can provide the appropriate boot file, gen1/bios boot file- ardbp32.bin, or gen2/uefi file – pvsnbpx64.efi, depending on the pxe client request

Task 3

PXE client executes boot file which handles further booting, and the boot file contacts PVS login server.

Gen1/bios:

  • Ardbp32.bin has been preconfigured with the addresses of PVS login servers

Gen2/uefi:

  • pvsnbpx64.efi is a signed file and cannot be preconfigured with PVS login servers.
  • Instead it will retrieve the location of PVS login servers from DHCP scope options, using either option 11, or option 17.
  • Option 17 can be used to specify a single PVS login server in the format: pvs:[192.168.0.1]:17:6910
There is no HA for login server in this scenario, when using a single IP address​
  • Option 17 can be used to specify a DNS name, which is round robin list of all PVS servers in the format: pvs:[DNSRRENTRY]:17:6910
As the DNS entry resolves to multiple PVS servers, and non-responsive PVS login servers will be skipped over by the bootstrap, this is HA appropriate.
  • Option 11 can be used to specify a list of up to 32 PVS login servers.
As multiple login servers are specified, and non-responsive PVS login servers will be skipped over by the bootstrap, this is HA appropriate.

Task 4

PVS login server finds vdisk assigned to target device and tells the target device to switch to PVS streaming server

  • Provide multiple PVS servers are configured to stream a vdisk, this will be highly available
  • If a PVS server is offline, a target device will not be instructed to stream from it

Related:

Large File Uploads Fails on NetScaler with Content Length 0 POST Requests

If any large file upload is being failed in 11.1 54+ for HTTP POST streams and if there are any requests with content length “0” prior to the actual POST request sent by NetScaler before sending actual large POST request, the back-end server may reject the request as the server might not be configured to respond to HTTP requests with content length “0”.

Analysis

POST /traveler?s=USERNAME&action=sync&orig=dm&deviceId=Android_12345678gh7 HTTP/1.1

Accept-Charset: UTF-8

Content-Type: application/vnd.syncml+wbxml

Cache-Control: private

Connection: Keep-Alive

User-Agent: Lotus Traveler Android 9.0

Content-Encoding: deflate

ntCoent-Length: 90977

Accept-Language: de-AT, en-US

Accept-Language: de-AT, en-US

Host: abcd.xyz.com

Cookie: DomAuthSessId=73BDE6B8B8AECA6ECB3D649F951AA4BD; SessionID=D4EE8D6F33BC734B08D6887956530A8A5196909D; NSC_wt_mc00_usbwfmfs=ffffffffc3a0b60745525d5f4f58455e445a4a423660

Accept-Encoding: identity

Content-Length: 0

HTTP/1.1 400 Bad Request

Server: Application-Server-Name

Date: Sun, 02 Jul 2017 07:23:26 GMT

Connection: close

Pragma: no-cache

Cache-Control: no-store

X-Application-Server-HTTP-TIME: 16

X-Application-Serve-ERROR-MESSAGE: Action sync or Content-Encoding deflate requires data, and there is no data.

X-Application-Serve-HOST: 5050

Content-Type: text/plain;charset=UTF-8

Content-Length: 41

Error: “Unnecessary requirement for Application-Serve-Name.”

Note 1: The error codes and details mentioned above may change based on the environment/configuration, as these are dependent on the Application server. However, the Application behavior and the symptoms may be the same as mentioned in this article.

NOTE 2:

If POST request contains a Content-Length header, then NetScaler will garble it to ‘ntCoent-length”

Also, sometimes the original POST does not have Content-Length defined but Transfer-Encoding: Chunked. In that case, we will proxy the POST using Content-Length: 0, but we will garble the Transfer-Encoding as either Tnsrafer-Encoding or anTrsfer-Encoding

Related:

How to Deploy NetScaler Appliances in a High Availability Setup in Two Arm Mode having Multiple Subnets with VLAN IDs

This article contains information about deploying NetScaler appliances in a high availability setup in two arm mode having multiple subnets with VLAN IDs.

Requirements

  • Both the NetScaler appliances must be on the same NetScaler software release version and have the same hardware platform.
  • Configure the appliances in a high availability setup. Ensure that both the appliances are communicating to each other. Refer to CTX116748 – How to Set Up a High Availability Pair on NetScaler.

Background

In this scenario, you have a requirement that NetScaler appliance must communicate with four VLANs such as 200, 201, 202, and 400, and the mode of communication must be in two arm mode.

The IP range for communication of VLAN 200, 201, 202, and 400 are 192.168.200.0/24,192.168.300.0/24,192.168.400.0/24, and 172.17.154.0/24 respectively:

  • Internal VLAN200 / 192.168.200.x
  • Internal VLAN201 / 192.168.300.x
  • Internal VLAN202 / 192.168.400.x
  • DMZ VLAN400 / 172.17.154.x

Related:

How to Enable Client IP in TCP/IP Option of NetScaler

This article describes how to enable client IP in TCP/IP option of NetScaler.

Background

Currently, several customers are trying to make use of the NetScaler as a centralized resource to perform load balancing for many applications in large data centers. When NetScaler application switch is used as >= L3 switch, it is setup as a proxy as many servers are across an L3 network. We need to operate as a proxy for such environments, however this results in the loss of the client’s source IP. As a result, we need to insert the client’s connection information as part of the initial data stream.

For HTTP and SSL services this is done by inserting ClientIP address as HTTP Header on the request to the server. Inserting Client IP address header is not possible for TCP based services . So we can use TCP header insertion as an alternative.

This drawback is solved by this feature. After the three way handshake with the server, a single packet of additional data will be sent to the server. This data will be prepended with the 32 bit binary representation of the value entered as the CIP header, and then the complete TCP/IP header information for the packet that induced the backend connection to be established. This data starts with the start of the IP header to the end of the TCP header, including IPv6 extension headers, IPv4 options, and TCP options as appropriate. As such, proper logic in the application will need to be incorporated to ensure that the proper fields are being parsed.

Note that this feature does not work on HTTP load balancing virtual server/service.

An extra packet is sent by the NetScaler to the server side containing the following information

  • Variable length: Client side session information, it is a copy of final acknowledgement packet used in client side connection establishment (only header).
  • IPV6: Basic IPv6 header is copied to the server side as it is. NetScaler does not have dual IPv6 stack rather it converts IPv6 packet to IPv4 and Layer 3 and after upper layers processes the packet. Again the packet is translated from IPv4 to IPv6. While converting original IPv6 header to IPv4 for TCP level proxing all extension headers are ignored. But for TCP CIP, we copy the original IPv6 basic header and forward to the server side.

Screen shots of sample trace

User-added image

User-added image

Note: In SSL_BRIDGE NetScaler TCP does not proxy the final packet from client to the server side. On the final ACK, protocol control block (PCB, TCP session structure) itself is not created on the NetScaler. We do this because we know that this is an SSL protocol and client has to send first data packet (SSL client hello), only then PCB is allocated on NetScaler for the client side connection and IP+TCP header is stored from this client hello packet and forwarded to the sever side and client side information. If suppose client hello may be 265 bytes, so we will see the IP len as 265 bytes.

In our Lab we successfully tested this feature for following services:

  • TCP service
  • SSL_BRIDGE service
  • SSL_TCP service

Related:

Application and Desktop Launch Process for internal network users

Steps happen when users access their desktops and apps:

1. Authentication

User-added image
(1)Citrix Receiver contact StoreFront using http (TCP port 80) or https (TCP port 443)

(2)StoreFront presents an authentication page

(3)User submit credentials

(4)StoreFront contacts AD using keberos (TCP port 88) to authenticate the user

(5)AD returns response to StoreFront

(6)User got logged in to the store.

2. Enumeration

The idea of enumeration is the retrieval of apps and desktops that are assigned to the user and presenting them to the user. So the user can choose resources they would like to launch.

Assuming that the user has already been authenticated to the store

User-added image
(1)After successful authentication, StoreFront passes user credentials to Delivery Controller using http (TCP port 80) or https (TCP port 443) for the list of resources available for specific user

(2)Delivery Controller contacts AD for LDAP request (TCP port 389) to identify user’s identity and group memberships

(3)Delivery Controller contacts Site Database (TCP port 1433) stored on the SQL Server to obtain apps and desktops metadata such as names and icons associated to the resource user group access to

(4)Deliver Controller sends the information back to StoreFront using http (TCP port 80) or https (TCP port 443)

(5)StoreFront presents all the resources directly to Citrix Receiver on user’s endpoint

3.Resource Launch

User-added image
(1)User clicks the icon shown in the store (TCP port 80 or 443)

(2)StoreFront contacts Delivery Controller using http (TCP port 80) or https (TCP port 443)

(3)Delivery Controller reaches out to SQL Server (TCP port 1433) to identify the most suitable VDA

(4)Delivery Controller contacts that VDA (TCP port 80)

For Server OS VDAs, they are always listening for incoming connections

For Desktop OS VDAs, they are now beginning to listen for incoming connections

(5)VDA returns a session key to Delivery Controller

(6)Delivery Controller sends the session key contains all of the connection information to StoreFront (TCP port 80 or 443)

(7)StoreFront put all the connection information into the default .ica file and sends to the endpoint (TCP port 80 or 443)

4.Session Initialization

User-added image
(1)Citrix Receiver on user endpoint directly contacts VDA (TCP port 1494/2598 based on session reliability) using connection information stored in .ica file

(2)VDA notifies Delivery Controller the connection setup (TCP port 80)

(3)Delivery Controller contacts the License Server (TCP port 7279) to check out the license on behalf of the device or user connected to the environment

(4)Delivery Controller commits session connection information to site database on SQL Server (TCP port 1433)

(5)User interact with app or desktop resources (TCP port 1494/2598 based on session reliability)

Related:

Re: what do you recommend when migrating NetApp to isilon, is there a best tool and best practice to achieve this?

Ok, so shameless plug here, but it’s certainly the appropriate place to do it. I work for Datadobi, and our software DobiMigrate was purpose built for this. It’s API integrated with NTAP 7M, CDOT, Isilon and others. It’ll detect all of your vfilers and SVMs, detect the qtree security styles, NFS Exports, SMB Shares. It’ll copy all of the data, shares, and exports over to Isilon. With Isilon it is SmartConnect Zone aware, and as a result each of the proxies that copy data over can talk to up to 5 Isilon nodes at the same time. As a result it’s crazy-fast and scales-out.

You can read more here:

Accelerating your Journey to the data lake with DobiMiner from Datadobi

Or from our site here:

https://www.datadobi.com

Anyway certainly reach out if you’d like to see a demo, or get some more information. Or ask your DellEMC account team. Also FWIW with reference to the suggestion of isi_vol_copy “might” work for your 7M systems, but it does not support CDOT. It’s an NDMP-based dump, so there are a lot of other issues that come with that decision.

I’ll of course leave it to others to comment on their experiences with the same type of migration.

~Chris Klosterman

Principal SE, Datadobi.

chris.klosterman@datadobi.com

Related:

Re: NetApp snapshot backup

Hello guys,

I have a little problem.

I have the following environment:

– Networker Server version 18.1 (Windows 2012)

– DataDomain 6.0.x (DDBoost)

– NetApp 8.2.x (mode 7)

Problem:

I need to backup NetApp using snapshot. The shares are via NFS.

I can generate the snapshot, but during the restore I am receiving a permission error. Searched but found nothing that could help.

Some doubts:

– Is it necessary to share the volumes via CIFS as well?

– Can I use the root user for all operations? Or use the NDMP user?

Thank you very much in advance.

Related: