I thought i’ll do a small write up of mitigating vulnerabilities in Citrix Netscaler & Storefront found during penetration test. This may not consist the complete list, however it’ll help to address few.
- There are vulnerabilities in SSL v3.0 and TLS v1.0. POODLE attack & BEAST attack which are shown in CVE’s CVE-2011-3389, CVE-2014-3566. To disable SSL v3.0 & TLS v1.0
Create a dword “Enabled” under below paths and assign value to 0. Ofcourse reboot.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
If you’re still using SF version less than 3.5, this will impact as TLS1.2 is not supported. So upgrade your storefront to latest.
- Ciphered service support use of RC4 ciphers as part of it’s cipher suites. Covered in CVE’s CVE-2013-2566, CVE-2015-2808. To reconfigure ciphered service to avoid use of RC4 ciphers do as below
Create dword “Enabled” under below path and assign value to 0
- IIS in storefront servers leak server information in it’s HTTP responses. I use URLREWRITE option to remove unwante response headers.
Typically we have 3 response headers which mostly to be removed for security reason.
- Server – Specifies web server version.
- X-Powered-By – Indicates that the website is “powered by ASP.NET.”
- X-AspNet-Version – Specifies the version of ASP.NET used.
Go to the site where the change has to be applied, select URL Rewrite > Add Rules > Outbound Rules > Blank rule
Give it a name, Matching scope, Variable name & pattern
Select action type as Rewrite
It’ll be the same for other 2 rules aswell, except the variable name will be different and use a name of your like.Other settings will remain the same as above
For X-Powered-By rule use the variable as RESPONSE_X-POWERED-BY
For X-AspNet-Version rule use the variable as RESPONSE_X-ASPNET-VERSION
You should have 3 outbound rules as below
- Onto Netscaler, few critical things as disable SSLv3/TLSv1.0, Enable secure access only for management, create custom cipher groups with only needed ciphers, configure NTP service not to listen to monlist(CVE-2013-5211)
Disable SSLv3.0/TLSv1.0 on the LB vServers & Gateway vServers. I had few issues disabling TLSv1.0 in a ICA proxy deployment, didn’t check it further.
Enable “Secure access only” access for management. Detailed steps in http://support.citrix.com/article/CTX205264
Create a custom cipher group and bind it to the vServers, I’ll not detail the process; however the ciphers as below
Configure NTP service not to respond to monlist query
- Edit the file /flash/nsconfig/ntp.conf > add restrict default noquery > Save & Exit
- Identify and kill the ntp process (ps -aux |grep “ntp” & kill <PID>)
- Start NTPD (/usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf)
- Verify monlist
Hope it was helpful, comments are welcome.
Explored Cloudagile testing andriod testing android bdd bdd specification Brocade CGW Citrix Citrix Receiver citrix xenapp citrix xendesktop Config Backup/restore cucumber specification DRAC esx Gesture Testing HSD Indexes Mobile Testing Challenges private root certificate registry secure gateway smartphone testing specification by example SQL 2008 Sql Server ssh ssh banner sshd SSL/TLS error test automation with specifications testing at thoughtworks thoughtworks testing VDA vmware WebInterface web interface WI windows7 Windows 2008 R2 xenapp xen app xen desktop xendesktop xenserver
Our Latest Tweets
Lets Discuss !!!
- September 2016 (1)
- April 2016 (1)
- October 2015 (1)
- July 2015 (2)
- March 2015 (2)
- December 2014 (1)
- April 2014 (5)
- December 2013 (1)
- July 2013 (1)
- May 2013 (1)
- April 2013 (1)
- February 2013 (1)
- October 2012 (2)
- September 2012 (1)
- August 2012 (1)
- June 2012 (1)
- May 2012 (1)
- April 2012 (3)
- March 2012 (4)
- February 2012 (1)
- December 2011 (1)
- November 2011 (2)
- October 2011 (2)
- September 2011 (8)
- August 2011 (3)
- June 2011 (3)
- February 2008 (1)