Wednesday, April 9, 2014

Citrix NetScaler and the Heartbleed Bug

If you haven’t heard about the 2 year old OpenSSL security flaw named Heartbleed, check out the official site for information : Heartbleed.com.  Sadly, it was just ‘discovered’ a couple days ago.

In a nutshell, it is a vulnerability in some versions of OpenSSL that allows hackers and script kiddies to steal protected information through normal interactions without detection.   It has to do with the heartbeat/handshake process that happens between the server and the client.  The easiest high level explanation I have read is that during the handshaking process, a client normally send 64kb of information to the server that the server then in turn echoes back to the client.  To exploit the vulnerability, a malicious client can send an abnormal 1kb package instead during the handshaking process and then the server will echo that 1k back but fill the rest with server memory (63kb) to make a complete package.  This server memory can contain other user sessions data including usernames, passwords, encryption keys and other privileged information.  Fortunately, it is a simple coding mistake that can be easily rectified through a patch.  Unfortunately, it has been out there for around 2 years and is/was affecting a large part of the internet.

I opened up a case with Citrix to find out if the Citrix NetScalers that handle SSL VPNs are affected by this bug and was pleased to find out that they are not.  The Netscalers use an older version of OpenSSL that is not vulnerable to this type of attack.  The Netscalers use OpenSSL 0.9.7 and affected versions are 1.0.1 and 1.0.2 versions.

You can check the open ssl version on the Netscaler by following the below steps:



Login to the netscaler using putty.
Go to the shell prompt.
type the command: openssl, press enter.
type the command: version -a, press enter.

This will give detail info about the OpenSSLl version on the Netscaler.


The Netscalers do not support the ‘TLS heartbeat’ extension in the SSL engine that is affected by the Heartbleed Bug.

You can also use the following site to check other web sites for the vulnerability here:
http://filippo.io/Heartbleed/

My colleague Carlo Costanzo (http://www.vmwareinfo.com/) tested some View Servers and some older versions of CSG using the tester above and they also came back clean.

Update: Citrix has an official link here: http://support.citrix.com/article/CTX140605