Multiple Cisco Products Server Name Identification Data Exfiltration Vulnerability

A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host.

This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sni-data-exfil-mFgzXqLN

Security Impact Rating: Medium

CVE: CVE-2021-34749

Related:

  • No Related Posts

ADM and Director Intergration missing Network HDX data: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

ADM and Director Intergration missing Network HDX data :: Error “No details are available” or blank page

Running Citrix ADM 13.0 (latest) and attempting to integrated the network function into our Citrix Director 1912.

Attempted to use both HTTP and HTTPS.

WIth HTTP the network tab on director is blank.

With HTTPS it say no details are available.

The following guide was used: https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/director/hdx-insight.html

Using HTTPS ::

Using HTTPS

Network capture trace shows Director Servers sends a FIN and interrupt TLS Handshake with ADM Server.

TLS flow Request from ADM Server

==========================

Transport Layer Security

TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 170

Handshake Protocol: New Session Ticket

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

Content Type: Change Cipher Spec (20)

Version: TLS 1.2 (0x0303)

Length: 1

Change Cipher Spec Message

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message

Content Type: Handshake (22)

Version: TLS 1.2 (0x0303)

Length: 96

Handshake Protocol: Encrypted Handshake Message

Response TLS from Director Server

==========================

Transmission Control Protocol, Src Port: 52282, Dst Port: 443, Seq: 342, Ack: 4300, Len: 0

Source Port: 52282

Destination Port: 443

[Stream index: 0]

[TCP Segment Len: 0]

Sequence Number: 342 (relative sequence number)

Sequence Number (raw): 1163837986

[Next Sequence Number: 343 (relative sequence number)]

Acknowledgment Number: 4300 (relative ack number)

Acknowledgment number (raw): 1444382645

0101 …. = Header Length: 20 bytes (5)

Flags: 0x011 (FIN, ACK)

Window: 512

[Calculated window size: 131072]

[Window size scaling factor: 256]

Checksum: 0xb928 [unverified]

[Checksum Status: Unverified]

Urgent Pointer: 0

[SEQ/ACK analysis]

[Timestamps]

When using HTTP :: Browser shows a blank page, no errors or details.

Related:

  • No Related Posts

TLS handshake fails with any TLS LB VIP FIPS 9700 – Reset code 9811 from ADC

Daylight savings time changed and NTP Servers out-of sync with ADC.

Time mismatch between client-server created by Daylight saving time 2020 began at 2:00 AM Time stamp mismatch in client-server created by Daylight Saving time change and out-of sync NTP server.

TLS is time sensitive, ADC detects a time mismatch and teardown TLS Session sending a RESET with Code 9811

Note regarding REST code 9811

=============================

As part of TLS handshake :: After a “Change Cipher Spec” message from Client machine, ADC should send back another “Change Cipher Spec” confirming the newly created TLS Session, but instead ADC sends a RESET message with RESET code :: 9811 because it detected a time stamps mismatch.


Following this article :: NetScaler Reset Error Codes

https://support.citrix.com/article/CTX200852

Reset code 9811 means :: NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet.

In this case this error code is deceiving because the client machine did displayed ciphers available to ADC, but ADC found a mismatch in Time Stamp TLS Session-ID and invalidates the Session.

Cipher used on this Session was :: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)

Length: 87

Version: TLS 1.2 (0x0303)

Random: 5e66690d10ed940e434f5ef414065933aac401eaf2806ad7…

Session ID Length: 32

Session ID: 1a1ff2f6e4aaa45336d6c8f3454892b324fea21528474cce…

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Compression Method: null (0)

Extensions Length: 15

Extension: application_layer_protocol_negotiation (len=11)

Related:

SSL connection toward explicit forward proxy

I need a solution

Hi all,

We are currently using an explicit forward proxy using HTTP basic auth. The goal is to at least secure the transmitted credentials.

What we had set up before:

  1. client —– http —–> proxysg:80 —-> http://internet.site/
  2. client —– http —–> proxysg:80 —-> https://internet.site/… (uses HTTP CONNECT)

What we would like to do now is the same as above, except the first step which should preferably become https:

  1. client —– https —–> proxysg:443 —-> http://internet.site/
  2. client —– https —–> proxysg:443 —-> https://internet.site/

That last part required setting up a proxy service listening on proxysg:443 and selecting “HTTPS reverse proxy”. I hope that is correct!

Currently accessing a site using HTTP on the internet works:

# curl -vv --proxy https://192.168.1.12:443 --proxy-insecure --insecure http://www.site.com/
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 443 (#0)
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Proxy certificate:
*  subject: C=US; ST=CA; O=Blue Coat Systems, Inc.; OU=Blue Coat SG-S200 Series; CN=xxx
*  start date: Jan  1 10:46:49 2020 GMT
*  expire date: Jan  1 10:46:49 2025 GMT
*  issuer: C=US; ST=California; L=Sunnyvale; O=Blue Coat Systems, Inc.; OU=Blue Coat, ABRCA; CN=abrca.bluecoat.com; emailAddress=sysadmin@bluecoat.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET http://www.site.com/ HTTP/1.1
> Host: www.site.com
> User-Agent: curl/7.60.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Date: Wed, 29 Jan 2020 15:46:24 GMT
< Content-Type: text/html
< Content-Length: 226
< Last-Modified: Mon, 22 Sep 2014 17:55:21 GMT
< ETag: "e2-503ab2786f440"
< Accept-Ranges: bytes
< Vary: Accept-Encoding
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Age: 0
<
<HTML>
<HEAD>
<TITLE>Welcome!</TITLE>

Accessing a site using HTTPS does NOT work, however I don’t understand why. It shouldn’t depend on the outer layer of the connection which has now become HTTPs instaead of HTTP…

# curl -vv --proxy https://192.168.1.12:443 --proxy-insecure --insecure https://www.site.com/
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Connected to 192.168.1.12 (192.168.1.12) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
*  subject: C=US; ST=CA; O=Blue Coat Systems, Inc.; OU=Blue Coat SG-S200 Series; CN=xxx
*  start date: Jan  1 10:46:49 2020 GMT
*  expire date: Jan  1 10:46:49 2025 GMT
*  issuer: C=US; ST=California; L=Sunnyvale; O=Blue Coat Systems, Inc.; OU=Blue Coat, ABRCA; CN=abrca.bluecoat.com; emailAddress=sysadmin@bluecoat.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.site.com:443
> CONNECT www.site.com:443 HTTP/1.1
> Host: www.site.com:443
> User-Agent: curl/7.60.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.site.com:443
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.site.com:443

The remote end shows this (no data is transmitted)

   98 16:47:41.913409959 1.1.1.1 → 2.2.2.2 TCP 74 53656 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1 TSval=4144667785 TSecr=0 WS=64
   99 16:47:41.913463623 2.2.2.2 → 1.1.1.1 TCP 74 443 → 53656 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=3089349285 TSecr=4144667785 WS=128
  100 16:47:41.925293814 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK] Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
  101 16:47:41.925490666 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [FIN, ACK] Seq=1 Ack=1 Win=262848 Len=0 TSval=4144667797 TSecr=3089349285
  102 16:47:41.925529264 2.2.2.2 → 1.1.1.1 TCP 66 443 → 53656 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=3089349288 TSecr=4144667797
  103 16:47:41.937479029 1.1.1.1 → 2.2.2.2 TCP 66 53656 → 443 [ACK] Seq=2 Ack=2 Win=262848 Len=0 TSval=4144667809 TSecr=3089349288

Proxy Policy trace is inconclusive:

connection: service.name=Explicit HTTPS client.address=192.168.2.226 proxy.port=443 client.interface=0:0.44 routing-domain=default
  location-id=0 access_type=unknown
time: 2020-01-29 15:19:07 UTC
CONNECT tcp://www.site.com:443/
  DNS lookup was unrestricted
User-Agent: curl/7.60.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
  url.category: none@Policy;none@Blue Coat
    total categorization time: 0
    static categorization time: 0
server.response.code: 0
client.response.code: 200
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65

What could be the problem?

Am I doing this correctly? Or is there a more correct approach to secure the connection toward the proxy itself?

Thanks,

Jim

0

Related:

  • No Related Posts

Considerations for Upgrading from 12.0 to 12.1

1) Removal of Weak Ciphers from DEFAULT_BACKEND cipher Group

This should not cause any issues for customers with backend applications that use modern Ciphers and TLS.

However legacy applications may face connectivity issues if specific Cipher Groups, with these older Ciphers enabled, are not configured.

Make sure to check if any backend Web Server/Resource/Application requires the above Ciphers before upgrade.

If they do, configure a Cipher Group with the required Ciphers and bind this to the Service or Service Group and unbind the DEFAULT_BACKEND Cipher Group.


2) Change in Password Encryption for Private Keys/Certificate-Key Pairs

Support for KEK encryption in private key

The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.

Important: Certificate keys are lost if you downgrade to a build earlier than release 12.1 build 50.x.

[From Build 50.31]

[# NSHELP-14911]

https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/Citrix-ADC-12-1-54-16.html

Customers should not see any issues with this change during the upgrade.

However if they do need to downgrade back for any reason, all their encrypted Private keys will not be added during the downgrade.

To get around this, you can either do 1 of 2 things:

1: (Recommended) Take a backup of the configuration while on 12.0, so if a downgrade is needed, a restore can be performed after the downgrade

–or–

2: Do not save the configuration after the upgrade to 12.1 until it has been confirmed that everything is working and there is no need to downgrade.

Related:

  • No Related Posts

Errors testing new connector to CHv 8 – “Connection Error: A failure occurred connecting to Citrix Hypervisor. Error = write EPROTO 140247625111360:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol”

In the XenCenter configuration for the host, uncheck the option to force only TLS 1.2 communication. See the section, “disabling older protocols”, in the below doc.

https://www.citrix.com/content/dam/citrix/en_us/documents/white-paper/security-recommendations-when-deploying-citrix-xenserver.pdf


To correct the cert errors, when unchecking the connector setting, “ignore certificate errors”, follow the below article.

https://support.citrix.com/article/CTX261855

Related:

Cisco Adaptive Security Appliance Software SSL VPN Denial of Service Vulnerability

A vulnerability in the Secure Sockets Layer (SSL) VPN feature of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition that prevents the creation of new SSL/Transport Layer Security (TLS) connections to an affected device.

The vulnerability is due to incorrect handling of Base64-encoded strings. An attacker could exploit this vulnerability by opening many SSL VPN sessions to an affected device. The attacker would need to have valid user credentials on the affected device to exploit this vulnerability. A successful exploit could allow the attacker to overwrite a special system memory location, which will eventually result in memory allocation errors for new SSL/TLS sessions to the device, preventing successful establishment of these sessions. A reload of the device is required to recover from this condition. Established SSL/TLS connections to the device and SSL/TLS connections through the device are not affected.

Note: Although this vulnerability is in the SSL VPN feature, successful exploitation of this vulnerability would affect all new SSL/TLS sessions to the device, including management sessions.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-asa-ssl-vpn-dos

This advisory is part of the October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 10 Cisco Security Advisories that describe 18 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2019 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-12677

Related:

Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel.

The vulnerability is due to TCP port information not being considered when matching new requests to existing, persistent HTTP connections. An attacker could exploit this vulnerability by acting as a man-in-the-middle and then reading and/or modifying data that should normally have been sent through an encrypted channel.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-http-client

Security Impact Rating: Medium

CVE: CVE-2019-12665

Related:

  • No Related Posts