Multiple Cisco Products Server Name Identification Data Exfiltration Vulnerability

A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host.

This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sni-data-exfil-mFgzXqLN

Security Impact Rating: Medium

CVE: CVE-2021-34749

Related:

  • No Related Posts

Radius server test connectivity fails : Error: 1812/udp’ is not a valid Radius authentication port or Radius client is not configured properly in the Radius server.

We have seen certain cases where a PBR is configured for the management IP (NSIP) pointing to a next hop gateway.

In case the ADC does not have a SNIP in the same subnet as the next hop configured, then the packet might never leave the ADC and hence it would fail.

No SNIP causes the Radius packet from Freebsd to Virtual server to be not sent to the actual server.

Related:

  • No Related Posts

Service on ADC shows DOWN with monitor error: “No MIP/SNIP available”

To resolve this issue, complete the following steps:

  1. Make sure that SNIP for the subnet you are trying to connect to is added on the ADC.
  2. Verify if there exits a route in that Subnet. If the route does not exist then add the route using add route command.

    Note:- you might get this error if you have two default routes. Check the show route output and delete one route after confirming from the customer.
  3. Alternatively, you can also create a Net profile with the SNIP that you configired and then Bind it to Service / Service Group to make sure that monitor probes are initiated with that SNIP .

Related:

  • No Related Posts

ADM and Director Intergration missing Network HDX data: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

ADM and Director Intergration missing Network HDX data :: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

What is MSS Clamping?

1. In a PPPoE link, additional 8 bytes PPPoE header will be inserted into frames. That may cause total length of frams exceed MTU 1500. Hence, we need to fragment those TCP packets if payload length is 1460.

2. However, in most cases, DF bit is set in packet. Don’t allow fragmentation. Then, PPPoE router should reply ICMP “Fragmentation Required” message to original client/server. Then client/server should send the packet in a smaller data.

3. However, the ICMP message may be dropped by firewall. In such cases, a better solution is PPPoE router modifies the MSS value in a TCP connection to fit PPPoE link’s MTU. That is called MSS Clamping.

Related:

  • No Related Posts

Citrix Receiver for Web: Error “Cannot complete your request”

There can be multiple reasons behind this issue as the error message we are getting on Web browser is very generic. To isolate and resolve this issue please follow these steps:

1. From test machine ping the base URL and confirm the IP you are getting:

  • Case 1: Unable to resolve any IP
Make sure the URL in base URL is correct and make sure there is a DNS entry for the URL
  • Case 2: Able to resolve Load Balancing VIPs IP
In this case we have to isolate whether it’s a Storefront issue or NetScaler. We also need to verify all the StoreFront servers.
  1. Browse “Store for Web” using IP address of StoreFront/localhost on StoreFront server and confirm if you are able to login and see resources, check this on all the StoreFront servers
  2. If you are able to login and see resources then it should be a configuration on LB VIP causing the issue then troubleshooting should be done on NetScaler.
  3. If you are still getting same error then troubleshooting should be done on StoreFront.
  • Case 3: IP resolving to one of the StoreFront’s IP
We have to troubleshoot Storefront and check why it’s causing issue.
  • Case 4: Incorrect Trusted domain Configured
Incorrect trusted domain configured for NetScaler Passthrough

To resolved: Correct the domain name or select “All Domains” under “Manage Authentication Methods” for NetScaler Passthrough


Troubleshooting StoreFront:
  1. Ping the base URL from StoreFront servers, each StoreFront server should resolve the base URL to it’s own IP if now then create a host entry (https://support.citrix.com/article/CTX235907).
  2. Make sure you are able to browse default IIS page as StoreFront is dependent on IIS.
  3. Make sure that the Default Store was never deleted from the StoreFront server. Deleting the default Store can corrupt StoreFront and we may need to reinstall StoreFront.
  4. Confirm if StoreFront services are running, Citrix Cluster join service can be in disable state(only works when we add a new server to Server Group).
  5. Check event viewer on StoreFront server. There can be multiple Receiver for Web events, e.g. “Failed to run discovery” or “Unable to resolve/find URL at 443/80”.
    • This can happen because of bindings on IIS. Make sure if the base URL is https then there should be https binding on StoreFront server with valid certificates if not then change base URL to http and confirm you have http/port 80 binding on IIS.
      • User-added image
  6. Check authentication methods in Store> Manage Authentication Methods
    • If authentication method available is Username and Password and you have selected Smart Card in Manage Authentication Methods then StoreFront will not find a way to authenticate users and give errors

Related:

  • No Related Posts

[SDWAN] SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

What is MSS Clamping?

1. In a PPPoE link, additional 8 bytes PPPoE header will be inserted into frames. That may cause total length of frams exceed MTU 1500. Hence, we need to fragment those TCP packets if payload length is 1460.

2. However, in most cases, DF bit is set in packet. Don’t allow fragmentation. Then, PPPoE router should reply ICMP “Fragmentation Required” message to original client/server. Then client/server should send the packet in a smaller data.

3. However, the ICMP message may be dropped by firewall. In such cases, a better solution is PPPoE router modifies the MSS value in a TCP connection to fit PPPoE link’s MTU. That is called MSS Clamping.

Related:

  • No Related Posts