4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
46.5%
A flaw in NetScaler ADC and Gateway causes GCM nonces to be randomly generated, making it marginally easier for remote attackers to obtain the GCM authentication key and spoof data within a session.
The following vulnerability has been addressed:
CVE-2017-5933: Vulnerability in Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway GCM Nonce Generation
The vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:
This vulnerability does not impact Citrix NetScaler ADC and NetScaler Gateway version 10.1 and prior.
Only Citrix NetScaler ADC and NetScaler Gateway appliances that have been configured to use GCM-based ciphersuites are affected by this vulnerability.
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
These new versions can be downloaded from the following locations:
<https://www.citrix.com/downloads/netscaler-adc.html>
<https://www.citrix.com/downloads/netscaler-gateway.html>
Citrix recommends that customers using affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as their normal patching schedule allows.
Citrix thanks Hanno BΓΆck (<https://hboeck.de/>) for working with us to protect Citrix customers. His original research on this issue is available here.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 β Reporting Security Issues to Citrix
Date | Change |
---|---|
February 6, 2017 | Initial Publishing |
February 9, 2017 | Updated to Citrix-specific CVE |
February 14, 2017 | Updated issue description |
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
46.5%