FAQ: How do I Block Heartbleed on NetScaler?

Q: Is NetScaler affected by Heartbleed vulnerability?

A: Heartbleed is one of the most impactful vulnerability identified in the recent history of SSL protocol. Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. OpenSSL runs in majority of sites hosted in the internet which makes this a widely impacted one. The secure information that is shared with the server is now accessible by the attacker and this action is completely undetectable.

Use cases

  • Andy wishes to interact in a secure fashion (some arbitrary, some known) free from Heartbleed attacks through a web browser.
  • Banking.com wishes to host web servers to be used by people like Andy in a secure fashion free from Heartbleed attack.

Q: How does Heartbleed work?

A: In order to understand Heartbleed, it is required to understand how heartbeat extensions work. There is a heartbeat request-response exchange done between sender and receiver that allows the usage of “keep-alive” without performing a renegotiation. The message format contains Heartbeat message type, Payload, Payload length and Padding. Payload can be any value which needs to be shared with the other participant (say a server). The server copies the payload , creates a response message around it and replies back to the sender. Payload length field is 2 byte long and decides the length of the payload. This implies payload can be anything up to 65536 bytes. As per RFC 6520, if the payload length is bigger than the supported value, then the message should be discarded silently. In this scenario, server should not process the message and send a response. This is not the case with OpenSSL’s implementation which lead to the Heartbleed vulnerability. As a result server sends extra bytes of information which was requested by the attacker. This is the data present in the server’s memory which can be sensitive information.

Q: How does NetScaler help?

A: NetScaler comes to the rescue! NetScaler was never affected by the issue found in OpenSSL implementation. NetScaler can block Heartbleed attacks as the affected versions of OpenSSL (1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) are not used by NetScaler. NetScaler operating system uses modified SSL stack which is fine tuned for security, performance and other use cases and is not impacted by this vulnerability. On management pane, OpenSSL is used, however the affected versions are not used and thus not affected by Heartbleed vulnerability.

To know more information on the list of Citrix products that requires updates to evade Heartbleed vulnerability please read the support article : http://support.citrix.com/article/CTX140605.


Leave a Reply