nsconfigd NSRPC_REMOTECMD Denial of service vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20131003-0 >

=======================================================================

title: nsconfigd NSRPC_REMOTECMD Denial of service vulnerability

product: Citrix NetScaler

vulnerable version: NetScaler 10.0 (Build <76.7)

fixed version: NetScaler 10.0 (Build >=76.7)

not affected: NetScaler 10.1 and 9.3

impact: Critical

homepage: www.citrix.com

found: 2012-12-10

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

"Citrix NetScaler helps organizations build enterprise cloud networks that

embody the characteristics and capabilities that define public cloud services,

such as elasticity, expandability and simplicity. NetScaler brings to

enterprise IT leaders multiple advanced technologies that were previously

available only to large public cloud providers."

"As an undisputed leader of service and application delivery, Citrix NetScaler

solutions are deployed in thousands of networks around the globe to optimize,

secure and control the delivery of all enterprise and cloud services. They

deliver 100 percent application availability, application and database server

offload, acceleration and advanced attack protection. Deployed directly in

front of web and database servers, NetScaler solutions combine high-speed load

balancing and content switching, http compression, content caching, SSL

acceleration, application flow visibility and a powerful application firewall

into a single, easy-to-use platform."

URL: www.citrix.com/products/netscaler-application-delivery-controller/overview.html

 

Vulnerability overview/description:

-----------------------------------

A vulnerability was found in the nsconfigd daemon (TCP port 3008 (SSL) and

3010). This daemon can be crashed by sending a specially crafted message.

No prior authentication is necessary. A watchdog daemon (pitboss) automatically

restarts nsconfigd after the first six crashes and then reboots the appliance.

By sending just a few packets the appliance can be kept in a constant reboot

loop resulting in total loss of availability.

 

Proof of concept:

-----------------

The nsconfigd daemon can be crashed for six times using the following Python

script. Subsequently the appliance reboots.

Detailed proof of concept exploits have been removed for this vulnerability.

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in Citrix NetScaler VPX (Build

70.7.nc), which was the most recent version at the time of discovery.

 

Vendor contact timeline:

------------------------

2013-03-27: Contacting vendor through secure@citrix.com.

2013-03-28: Vendor provides encryption key.

2013-03-28: Sending advisory via secure channel.

2013-03-28: Vendor confirms receipt of advisory.

2013-04-08: Requesting status update.

2013-04-19: Requesting status update (again).

2013-04-22: Vendor confirms issues, is "in the process of scheduling required

changes".

2013-06-05: Requesting status update.

2013-06-25: Requesting status update (again).

2013-06-25: Vendor is still "in the process of scheduling changes".

2013-08-14: Requesting status update (again) and setting deadline (Oct. 3rd).

2013-09-18: Vendor provides release dates for the update (Oct. 1st and 2nd).

2013-10-03: SEC Consult releases coordinated security advisory.

 

Solution:

---------

Update to Citrix NetScaler 10.0 Build 76.7.

Vendor information can be found at:

support.citrix.com/article/ctx139017

 

Workaround:

-----------

No workaround available.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF Stefan Viehböck / @2013