As noted in the security bulletin CTX463706, the following Citrix ADC builds contain enhancements to help customers mitigate against HTTP smuggling attacks:
Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP
In order to allow a wide variety of client/server transactions, Citrix ADC has a default lenient setting for parsing HTTP requests. However, an enhanced level of protection against HTTP Request Smuggling attacks can be provided by binding an in-built HTTP profile, nshttp_default_strict_validation, to one or more virtual servers by using the following commands on the CLI:
set lb vserver <vserver_name> -httpProfileName nshttp_default_strict_validation set cs vserver <vserver_name> -httpProfileName nshttp_default_strict_validation
Please note that customers are strongly advised to test these settings prior to deployment in a production environment.
Customers who encounter any problems in deploying the above HTTP profile can alternatively disable HTTP multiplexing to mitigate against HTTP request smuggling. This can be done globally, across all services, using:
set ns httpParam -conMultiplex DISABLED
OR, alternatively, per profile using:
set httpProfile <profile_name> -conMultiplex DISABLED
Please note that, depending on the capability of the back-end web server, there may be a minor performance impact as a result of disabling HTTP multiplexing because a separate TCP connection will be created for each client connection. Customers are advised to test this configuration prior to deployment in a production environment.
The enhancements include a new parameter ‘passProtocolUpgrade’ which is added to the HTTP profile to help customers mitigate against HTTP smuggling attacks. Depending on the state of this parameter, the upgrade header is either passed in the request sent to the back-end server or deleted before sending the request.
If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
If this parameter is disabled, then the upgrade header is deleted, and the remaining request is sent to the back end.
The passProtocolUpgrade parameter is added to the following profiles:
nshttp_default_profile ENABLED by default
nshttp_default_strict_validation DISABLED by default
nshttp_default_internal_apps DISABLED by default
nshttp_default_http_quic_profile ENABLED by default
Citrix recommends that this parameter be disabled. For more best practices, see the Citrix ADC Secure Deployment Guide.