Citrix Netscaler 10.0 Denial Of Service

2013-10-04 / 2013-10-20
Credit: Stefan Viehback
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-6011
CWE: CWE-20


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

SEC Consult Vulnerability Lab Security Advisory < 20131003-0 > ======================================================================= title: nsconfigd NSRPC_REMOTECMD Denial of service vulnerability product: Citrix NetScaler vulnerable version: NetScaler 10.0 (Build <76.7) fixed version: NetScaler 10.0 (Build >=76.7) not affected: NetScaler 10.1 and 9.3 impact: Critical homepage: http://www.citrix.com found: 2012-12-10 by: Stefan Viehbck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "Citrix NetScaler helps organizations build enterprise cloud networks that embody the characteristics and capabilities that define public cloud services, such as elasticity, expandability and simplicity. NetScaler brings to enterprise IT leaders multiple advanced technologies that were previously available only to large public cloud providers." "As an undisputed leader of service and application delivery, Citrix NetScaler solutions are deployed in thousands of networks around the globe to optimize, secure and control the delivery of all enterprise and cloud services. They deliver 100 percent application availability, application and database server offload, acceleration and advanced attack protection. Deployed directly in front of web and database servers, NetScaler solutions combine high-speed load balancing and content switching, http compression, content caching, SSL acceleration, application flow visibility and a powerful application firewall into a single, easy-to-use platform." URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html Vulnerability overview/description: ----------------------------------- A vulnerability was found in the nsconfigd daemon (TCP port 3008 (SSL) and 3010). This daemon can be crashed by sending a specially crafted message. No prior authentication is necessary. A watchdog daemon (pitboss) automatically restarts nsconfigd after the first six crashes and then reboots the appliance. By sending just a few packets the appliance can be kept in a constant reboot loop resulting in total loss of availability. Proof of concept: ----------------- The nsconfigd daemon can be crashed for six times using the following Python script. Subsequently the appliance reboots. Detailed proof of concept exploits have been removed for this vulnerability. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Citrix NetScaler VPX (Build 70.7.nc), which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2013-03-27: Contacting vendor through secure@citrix.com. 2013-03-28: Vendor provides encryption key. 2013-03-28: Sending advisory via secure channel. 2013-03-28: Vendor confirms receipt of advisory. 2013-04-08: Requesting status update. 2013-04-19: Requesting status update (again). 2013-04-22: Vendor confirms issues, is "in the process of scheduling required changes". 2013-06-05: Requesting status update. 2013-06-25: Requesting status update (again). 2013-06-25: Vendor is still "in the process of scheduling changes". 2013-08-14: Requesting status update (again) and setting deadline (Oct. 3rd). 2013-09-18: Vendor provides release dates for the update (Oct. 1st and 2nd). 2013-10-03: SEC Consult releases coordinated security advisory. Solution: --------- Update to Citrix NetScaler 10.0 Build 76.7. Vendor information can be found at: http://support.citrix.com/article/ctx139017 Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehbck / @2013

References:

http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top