CVE-2017-17382 - TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway

Description of Problem

A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow an attacker to exploit the appliance to decrypt TLS traffic.

This vulnerability has been assigned the following CVE:

• CVE-2017-17382: TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway

This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22
• Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19
• Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13

This vulnerability does not allow an attacker to obtain the TLS private key.

In deployments where TLS private keys are shared between different devices, any of these vulnerable appliances could potentially be used to decrypt TLS traffic handled by the other devices. As a consequence, all vulnerable devices must be patched to address this issue.

---

Mitigating Factors

Citrix NetScaler ADC and NetScaler Gateway appliances that are configured to only use Perfect Forward Secrecy (PFS) cipher suites are not affected by this vulnerability.

---

What Customers Should Do

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

• Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 53.22 and later
• Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 56.19 and later
• Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 71.22 and later
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 67.13 and later

These new versions can be found on the Citrix website at the following locations:

<https://www.citrix.com/downloads/netscaler-adc/&gt;

<https://www.citrix.com/downloads/netscaler-gateway/&gt;

Citrix strongly recommends that affected customers upgrade all of their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as soon as possible.

---

Acknowledgements

Citrix would like to thank the following for working with us to protect Citrix customers:

• Hanno Böck ([email protected])
• Juraj Somorovsky ([email protected]) of Ruhr-Universität Bochum / Hackmanit GmbH
• Craig Young ([email protected]) of Tripwire VERT

---

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/&gt;_.

---

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

---

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

---

Changelog

Date	Change
12th December 2017	Initial publishing

---