CitrixCTX220329CVE-2017-5933 - Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
46.5%
Description of Problem
A flaw in NetScaler ADC and Gateway causes GCM nonces to be randomly generated, making it marginally easier for remote attackers to obtain the GCM authentication key and spoof data within a session.
The following vulnerability has been addressed:
CVE-2017-5933: Vulnerability in Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway GCM Nonce Generation
The vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Version 11.1 earlier than 11.1 Build 51.21
- Version 11.0 earlier than 11.0 Build 69.12/69.123
- Version 10.5 earlier than 10.5 Build 65.11
This vulnerability does not impact Citrix NetScaler ADC and NetScaler Gateway version 10.1 and prior.
Mitigating Factors
Only Citrix NetScaler ADC and NetScaler Gateway appliances that have been configured to use GCM-based ciphersuites are affected by this vulnerability.
What Customers Should Do
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 51.21 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 69.12/69.123 and later
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 65.11 and later
These new versions can be downloaded from the following locations:
<https://www.citrix.com/downloads/netscaler-adc.html>
<https://www.citrix.com/downloads/netscaler-gateway.html>
Citrix recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as their normal patching schedule allows.
Acknowledgements
Citrix thanks Hanno BΓΆck (<https://hboeck.de/>) for working with us to protect Citrix customers. His original research on this issue is available here.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 β Reporting Security Issues to Citrix
Changelog
| Date | Change |
|---|---|
| February 6, 2017 | Initial Publishing |
| February 9, 2017 | Updated to Citrix-specific CVE |
| February 14, 2017 | Updated issue description |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
46.5%