Cisco Small Business Smart and Managed Switches Denial of Service Vulnerability

A vulnerability in the IPv6 packet processing engine of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA

Security Impact Rating: High

CVE: CVE-2020-3363

Related:

  • No Related Posts

Cisco StarOS IPv6 Denial of Service Vulnerability

A vulnerability in the IPv6 implementation of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to an affected device with the goal of reaching the vulnerable section of the input buffer. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-ipv6-dos-ce3zhF8m

Security Impact Rating: Medium

CVE: CVE-2020-3500

Related:

  • No Related Posts

nFactor – Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on Citrix ADC

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

  1. 1st factor is configured for either Certificate or LDAP Authentication.

  2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

  3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

    User-added image

  3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

  4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

    User-added image

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation


Policies for this use-case

add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avnadd authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain aaatm.combind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXTbind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators.

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:

add authentication certAction ca -userNameField SubjectAltName:PrincipalName

add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase “cn=users,dc=aaatm,dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN

add authenticationpolicy ldap-new -rule true -action ldap-new

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow


3. Add Factor, this will be the name of the nFactor Flow


4. No schema needs to be selected for this configuration as the Cert Authentication doesn’t require a login schema and if the Authentication falls back to LDAP, the default login page is used.


5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy


For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy


7. Select the LDAP_Policy and then Add


For more information on creating LDAP Authentication see,Configuring LDAP Authentication

8. Click on Done this will automatically save the configuration.

9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE:Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

  1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAA Message 437 0 : "NFactor: Cert Auth: certificate is absent, falling back nFactor login"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAATM Message 438 0 : "LoginSchema policyeval did not return an active policy"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 : SPCBId 568 - ClientIP 10.252.112.163 - ClientPort 54500 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 439 0 : "core 2: ns_get_username_password: loginschema gleaned is default "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 440 0 : "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 441 0 : "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 442 0 : "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 443 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 444 0 : "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "Jul 30 21:09:11 <local0.info> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 : Extracted_groups "grp1,grp2,grp3,Group2,group1"
  1. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 127.0.0.2 07/30/2015:21:10:36 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 : SPCBId 596 - ClientIP 10.217.28.185 - ClientPort 57227 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session ReuseJul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 : SPCBId 578 - ClientIP 10.217.28.185 - ClientPort 57226 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 : SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 : SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAA Message 542 0 : "NFactor: Successfully completed cert auth, nextfactor is "Jul 30 21:11:02 <local0.info> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAATM LOGIN 543 0 : Context users@10.217.28.185 - SessionId: 37- User users - Client_ip 10.217.28.185 - Nat_ip "Mapped Ip" - Vserver 10.217.28.167:443 - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLVPN Message 544 0 : "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "

Related:

How to Add a Static Route on Netscaler MAS

In order to add a static route, you would need to modify the system routing table. To make the changes permanent, the svm.conf file would need to be edited.

  1. Log in to NetScaler MAS, using an SSH client.

  2. Make a backup copy of the file /mpsconfig/svm.conf using command:

    cd /mpsconfig/ cp svm.conf svm.conf.bak

  3. Add the following line to the above file “route add -net 10.20.30.0/28 10.0.0.1” using the following command:

    echo “route add -net 10.20.30.0/28 10.0.0.1”>> svm.conf

  4. Reboot the device using command:

    reboot

  5. Verify if the static route is present in the system routing table:

    netstat -rn

Please note that the gateway address (in our case it’s 10.0.0.1) must be in one of the interfaces subnets. Otherwise route will not be added and you will receive the following message:

route: writing to routing socket: Network is unreachable

add net 10.20.30.0: gateway 10.0.0.1: Network is unreachable

Related:

How Do I Setup TLS_FALLBACK_SCSV On NetScaler?

Use Case

Protect server against POODLE attack by preventing the protocol downgrade attack.

Introduction to TLS_FALLBACK_SCSV

POODLE attack is a man-in-the-middle attack in which an attacker takes advantage of the fall back behaviour of clients (including browsers) to attack servers which support SSL 3.0 and CBC encryption mode.

User-added image

Most SSL/TLS implementations are backward compatible with SSL 3.0 to interoperate with legacy systems. A POODLE attacker leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. He can trigger a connection failure and then force the use of SSL 3.0 and attempt an attack.

User-added image

To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above, so disabling SSL 3.0 might not be possible. The solution to this problem is that the browsers and servers should implement TLS_FALLBACK_SCSV which makes downgrade attacks impossible. This is how it works – browsers support a downgrade mechanism in the form of Signaling Cipher Suite Value (SCSV). After a session fails during the initial handshake, the browser will retry, but attempts on version one lower than before. For example, after failing to connect to a server with the max version set to TLS 1.1, the client would retry with the max version set to TLS 1.0. This mechanism basically ensures connectivity but lowers down the security and makes the session vulnerable.

The presence of this SCSV extension in the Client Hello indicates that the client is retrying to connect to the server by using a lower SSL version, after its previous attempt to communicate with a higher version failed. Therefore, if the server finds this extension in Client Hello and also finds that the client is proposing a version that is lower than the maximum version supported by the server, it is a likely indication of a “man in the middle attack” The server drops such handshakes.

Qualys SSL Labs, which test servers and browsers for SSL vulnerabilities, mandates a server to support TLS_FALLBACK_SCSV to get A+ rating.

Related:

“Target Device boot fails with error PXE-E55 : ProxyDHCP service did not reply to request on port 4011″

The Option 60 is configured with the string “PXEClient”. This is telling the DHCP Clients that the target of Option 66 is a PXE Client and not a PXE Server.

To resolve this issue, edit Option 60 and clear the field and restart the DHCP Server.

Related:

How to Configure Redirect URL on ADC Virtual Server When Virtual Server is Not Available

This article describes how to configure redirect URL on ADC virtual server when virtual server is not available.

Background

You can configure an HTTP or HTTPS virtual server with a redirect URL. This URL is sent as a response to the client HTTP or HTTPS request if the virtual server is not available. The common usage of this option is to direct the client to a customized “Site Down” web page or to an external backup website. However, this feature is not applicable for the non-HTTP or non-HTTPS protocols.

If the state of the virtual server is DOWN or DISABLED, then the ADC appliance responds to HTTP(S) requests with the HTTP/1.x 302 – Object Moved response code and the configured redirect URL specified in the Location header of the HTTP response. The exact URL specified in the response depends on the following configuration options:

  • If the configured redirect URL only contains the domain name, such as http://www.sample1.example.com, the redirect URL specified in the HTTP response appends the Uniform Resource Identifier (URI) specified in the HTTP request to the configured domain name. For example, if the request contains the GET http://www.sample2.example.com/images/site_nav.gif header, then the Location header in the redirect response specifies the Location: http://www.sample1.example.com/images/site_nav.gif header.

    Note: The domain names in the request and response can differ. In this article, the two domains are referred to as sample1.example.com and sample2.example.com to explain the concept.

  • If the configured redirect URL contains a complete path, then the redirect response specifies the complete configured URL, irrespective of the URI in the request. For example, the following are such URLs:

    Requested URL – http://www.redirect.com/en/index.html

    Redirect URL – http://www.redirect.com/en/site_down.html

The following table illustrates the preceding configuration options:

Configured Redirect URL URL in HTTP Request Header in HTTP Response
http://www.sample1.example.com http://www.sample2.example.com/en/index.html http://www.sample1.example.com/en/index.html
http://www.sample1.example.com/en/error.html http://www.sample2.example.com/en/index.html http://www.sample1.example.com/en/error.html

Note: It is worth noting that when configuring a redirect URL, the http://example.com URL is not the same as the http://example.com/ URL because the latter contains the complete path to the web root, /.

Related:

AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) use-cases

  • For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.
  • For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF(“Finance”)

OR

AAA.USER.GROUPS.CONTAINS(“Finance”)

  • You should have the group “Finance” added to the ADC configuration, below are the steps to do it

CLI:

add aaa group Finance


GUI:

  • Citrix Gateway > User Administration > AAA Groups > ADD
  • Type the Group name and hit OK

Following are the expressions generally used to evaluate a user’s Group membership, and the above-mentioned requirement applies to all of them.

AAA.USER.IS_MEMBER_OF()

AAA.USER.GROUPS()

AAA.USER.IS_MEMBER_OF_ANY()

AAA.USER.IS_MEMBER_OF_ALL()

AAA.USER.INTERNAL_GROUPS()

AAA.USER.EXTERNAL_GROUPS()


Note: This requirement was always applicable for CVPN and Full VPN Use cases, starting the following versions this requirement is also applicable for ICA Proxy Use case

12.1.57.x

13.0.61.x

Related:

AAA GROUP expressions in Gateway Vserver (CVPN, Full VPN and ICA Proxy) usecase

For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.

Example 1:

For example, if a user is part of a LDAP Group “Finance” and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF(“Finance”)

OR

AAA.USER.GROUPS.CONTAINS(“Finance”)

Related: