How do I block FREAK on NetScaler

How NetScaler helps?

No need to freak out! NetScaler can block FREAK attacks by disabling export grade RSA. By default, export grade RSA is disabled in NetScaler, but if it had been explicitly configured, can be removed using following command

set ssl vserver <vServer name> -eRSA DISABLED

User-added image

In case of management interface, to manually remove export grade RSAs the following command has to be used.

User-added image

For IPv4,

set ssl service nshttps-127.0.0.1-443 -eRSA DISABLED

“nshttps-127.0.0.1-443” is the internal service running for NetScaler Management Interface

For IPv6,

set ssl service nshttps-::1l-443 -eRSA DISABLED

“nshttps-::1l-443” is the internal service running for NetScaler Management Interface

In NetScaler SDX appliance, this issue was found with customers using NetScaler Service Delivery Appliance Service VM (SVM) as TLS client.

User-added image

This vulnerability is fixed in following versions of NetScaler Service Delivery Appliance Service VM(SVM).

  • Version 10.5 Build 57.7 and later
  • Version 10.5.e Build 57.7005.e and later
  • Version 10.1 Build 133.9 and later

User-added image

To find out more information about the supported versions of NetScaler ADC and Gateway, please read the support article: http://support.citrix.com/article/CTX200491

Related:

Leave a Reply