I thought i’ll do a small write up of mitigating vulnerabilities in Citrix Netscaler & Storefront found during penetration test. This may not consist the complete list, however it’ll help to address few.
- There are vulnerabilities in SSL v3.0 and TLS v1.0. POODLE attack & BEAST attack which are shown in CVE’s CVE-2011-3389, CVE-2014-3566. To disable SSL v3.0 & TLS v1.0
Create a dword “Enabled” under below paths and assign value to 0. Ofcourse reboot.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
If you’re still using SF version less than 3.5, this will impact as TLS1.2 is not supported. So upgrade your storefront to latest.
- Ciphered service support use of RC4 ciphers as part of it’s cipher suites. Covered in CVE’s CVE-2013-2566, CVE-2015-2808. To reconfigure ciphered service to avoid use of RC4 ciphers do as below
Create dword “Enabled” under below path and assign value to 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
- IIS in storefront servers leak server information in it’s HTTP responses. I use URLREWRITE option to remove unwante response headers.
Typically we have 3 response headers which mostly to be removed for security reason.
- Server – Specifies web server version.
- X-Powered-By – Indicates that the website is “powered by ASP.NET.”
- X-AspNet-Version – Specifies the version of ASP.NET used.
Go to the site where the change has to be applied, select URL Rewrite > Add Rules > Outbound Rules > Blank rule
Give it a name, Matching scope, Variable name & pattern
Select action type as Rewrite
It’ll be the same for other 2 rules aswell, except the variable name will be different and use a name of your like.Other settings will remain the same as above
For X-Powered-By rule use the variable as RESPONSE_X-POWERED-BY
For X-AspNet-Version rule use the variable as RESPONSE_X-ASPNET-VERSION
You should have 3 outbound rules as below
- Onto Netscaler, few critical things as disable SSLv3/TLSv1.0, Enable secure access only for management, create custom cipher groups with only needed ciphers, configure NTP service not to listen to monlist(CVE-2013-5211)
Disable SSLv3.0/TLSv1.0 on the LB vServers & Gateway vServers. I had few issues disabling TLSv1.0 in a ICA proxy deployment, didn’t check it further.
Enable “Secure access only” access for management. Detailed steps in http://support.citrix.com/article/CTX205264
Create a custom cipher group and bind it to the vServers, I’ll not detail the process; however the ciphers as below
Configure NTP service not to respond to monlist query
- Edit the file /flash/nsconfig/ntp.conf > add restrict default noquery > Save & Exit
- Identify and kill the ntp process (ps -aux |grep “ntp” & kill <PID>)
- Start NTPD (/usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf)
- Verify monlist
Hope it was helpful, comments are welcome.