CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw

Description of Problem

The recently disclosed protocol flaw in SSLv3, referred to as CVE-2014-3566 (<https://vulners.com/cve/CVE-2014-3566&gt;) or POODLE, could expose some deployments that support SSLv3 to a risk of an active Man in the Middle (MITM) attack. A successful attack could lead to the disclosure of the information that is being sent over the encrypted channel.

Considering the mitigating factors described below, Citrix does not consider this to be a high risk vulnerability. However, Citrix recommends that customers review their usage of SSLv3 and take steps to reconfigure their deployments to remove support for SSLv3 where appropriate.

Mitigating Factors

Customers should consider the following mitigating factors when assessing the risks posed by this issue:

• In order to exploit this issue, a network-based attacker would need to be in a position to inject selected plain text into the encrypted channel. A typical scenario would be where a malicious script running inside a web browser is able to send data through the SSLv3 encrypted channel.
• A typical exploit would require a relatively high volume of malicious traffic to extract a small quantity of data from the SSLv3 encrypted channel.
• Customers using deployments configured to be FIPS 140-2 compliant would typically not be affected by this issue as SSLv3 should not be enabled.

What Customers Should Do

The following sections provide guidance on configuring SSLv3 support for relevant Citrix products, additional sections will be added as our analysis progresses. Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative. Product documentation is available on the Citrix website at the following address: <http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html&gt;

Citrix NetScaler ADC and NetScaler Gateway

Customers should note that some scanning tools may report the TLS and DTLS Padding Validation Vulnerability described in CTX200378 as the “POODLE” or “TLS POODLE” vulnerability. If these issues are still being reported when SSLv3 has been disabled please refer to CTX200378 for guidance.

NetScaler vServers:

To disable SSLv3 on a specific vServer, run the following command from the NSCLI:

set ssl vserver <vservername> -ssl3 disabled

NetScaler Management Interfaces:

To disable SSLv3 on the NetScaler management interface, run the following commands from the NSCLI:

set ssl service nshttps-127.0.0.1-443 -ssl3 disabled

NetScaler Management Interfaces on the MIP/SNIP:

To disable SSLv3 on the MIP/SNIP, identify the internal service names by running the following command from the NSCLI for each IP address:

show service –internal | grep <IP>

SSLv3 can then be disabled for each IP address using the following NSCLI command:

set ssl service <internal service name for that ip> -ssl3 disabled

Note that, after these commands have been run, the NetScaler configuration should be saved with the NSCLI command “save config” so that the changes persist across appliance reboots. As with all configuration changes, Citrix recommends that these changes are validated within a test environment prior to deploying to a production environment.

Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative.

NetScaler Service Delivery Appliances

Customers using NetScaler Service Delivery Appliance service VM are affected by this vulnerability. To address this issue, customers should upgrade their Service Delivery Appliances to the following versions:

• 10.5 Build 54.9 and later
• 10.5 Build 54.9009.e and later
• 10.1 Build 131.1 and later
• 10.1 Build 130.1302.e and later

These new versions are available on the Citrix website at the following address:

<https://www.citrix.com/content/citrix/en_us/downloads/netscaler-adc.html&gt;

Command Center

Customers using Command Center are affected by this vulnerability. To address this issue, customers should upgrade their Command Center deployment to the following versions:

• 5.2 Build 43.19 and later
• 5.1 Build 36.7 and later

These new versions are available on the Citrix website at the following address: <https://www.citrix.com/downloads/command-center.html&gt;

Once upgraded, customers wishing to disable SSLv3 should then make this change in the Command Center user interface.

Citrix Secure Gateway & SSL Relay

Information on how to configure supported versions of Citrix Secure Gateway can be found in the product documentation. This is available on the Citrix website at the following address:

<https://docs.citrix.com/en-us/xenapp-and-xendesktop/xenapp-6-5/xenapp65-w2k8-wrapper/sg-presentation-server-v2/sg-configuring-sg-v2.html&gt;

It is possible to configure the protocol versions used by the internal SSL Relay component under the “Connection” tab of the configuration utility. Further information on this can be found in the product documentation at the following address:

<http://support.citrix.com/servlet/KbServlet/download/12606-102-16435/Administrators_Guide.pdf&gt;

Citrix Web Interface & Storefront

Information on how to configure the use of cryptographic protocols on the underlying Microsoft web server can be found at the following location:

<http://support.microsoft.com/kb/245030&gt;

Citrix XenMobile

Customers wishing to configure their XenMobile Device Manager (XDM) deployments to prevent the use of SSLv3 can make the following changes:

• Open the XDM tomcat configuration file server.xml for editing. The default installation location is c:\program files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml
• Add the following line to https connector. Note: The default ports for the https connector are 443 and 8443:

sslEnabledProtocols=“TLSv1.2,TLSv1.1,TLSv1”

• Save the configuration file and restart XDM

Customers using a combined NetScaler and XenMobile deployment should refer to the NetScaler guidance in this document for information on configuring their NetScaler appliances.

Customers using Citrix AppController 9.0 should download the patch for their products available at the following location:

<https://support.citrix.com/article/CTX142031&gt;

Citrix CloudPortal Business Manager

Information on how to configure the use of cryptographic protocols on the underlying web server can be found at the following location:

<http://support.citrix.com/proddocs/topic/cpbm-23-map/cpbm-install.html&gt;

Citrix SaaS Solutions

The following Citrix SaaS Solutions products are vulnerable to this issue:

• GoToMeeting
• GoToTraining
• GoToWebinar
• GoToAssist
• OpenVoice
• Citrix Labs Products (GoToMeet.me)

Citrix is actively working to address this issue and further information will be added to the document as it becomes available.

Citrix XenMobile and App Controller

A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:

<https://support.citrix.com/article/CTX142031&gt;

Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.

Citrix XenMobile & App Controller 10 are not affected by this vulnerability

Citrix VDI-In-A-Box

The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:

Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.5, has been released to address this issue. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html&gt;

Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html&gt;

Citrix CloudPlatform

In configurations where CloudPlatform has been configured to use HTTPS to provide secure communication to the management server, Citrix recommends that customers consider disabling SSLv3. Information on how to configure the underlying webserver to support TLS only can be found in the following article: <http://support.citrix.com/article/CTX132008&gt;

Citrix recommends that customers using affected versions of CloudPlatform update their SystemVM ISOs and upgrade their system and router virtual machine templates to the latest version. Information on how to obtain and carry out these updates can be found in the following articles:

• Updating the CloudPlatform SystemVM ISO: <https://support.citrix.com/article/CTX200459&gt;
• Upgrading CloudPlatform system and router virtual machine templates: <https://support.citrix.com/article/CTX200024&gt;

Citrix Licensing

License Server for Windows:

When configured to use SSL, the License Server for Windows is impacted by this vulnerability. To disable SSLv3 on License Server for Windows, please see the following article: <https://support.citrix.com/article/CTX200265&gt;

License Server VPX:

SSLv3 is disabled in version 11.12.1 and later of the License Server VPX. Citrix recommends that customers upgrade to version 11.12.1 and later to address this issue. This version can be found at the following address: <http://www.citrix.com/downloads/licensing.html&gt;

What Citrix is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/&gt;_.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date	Change
October 15th 2014	Initial bulletin published
October 16th 2014	Secure Gateway configuration added
October 20th 2014	SSL Relay, Web Interface/Storefront and XenMobile configuration added
November 7th 2014	CloudPortal Business Manager section added
November 13th 2014	SaaS Solutions section added
February 2nd 2015	XenMobile App Controller section added
February 25th 2015	Addition of VDI-In-A-Box section
March 4th 2015	Addition of CloudPlatform section, change to XenMobile section
March 18th 2015	VDI-In-A-Box section updated
April 8th 2015	Update to Secure Gateway & SSL Relay section
April 28th 2015	Update to NetScaler section
May 21st 2015	Addition of Licensing section
July 7th 2015	Update to SaaS Solutions section
September 1st 2015	Update to NetScaler section
September 8th 2015	Addition of Command Center section
March 22nd 2016	Updated link in Citrix Secure Gateway & SSL Relay section