Yet another OpenSSL security advisory – released January 26, 2017 – has revealed four new issues ranging from moderate to low severity. We would like to reassure our customers that NetScaler is unaffected by these vulnerabilities.
CVE-2017-3731 – If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash.
NetScaler does not have support for CHACHA/POLY-based ciphersuites, and does not carry the affected code relating to the insecure usage of RC4-MD5. Customers may, further, choose to disable the RC4-MD5 ciphersuite on NetScaler as a recommended best practice measure. RC4-MD5 is a ciphersuite that is widely considered obsolete and insecure.
If the IPMI/LOM port on your NetScaler hardware appliance is configured to connect to servers that may use RC4-MD5, please ensure that it is only configured to connect to trusted servers. The trusted server should not negotiate a connection using the insecure RC4-MD5 ciphersuite to avoid exposure to this known vulnerability.
NetScaler remains unaffected by each of the following three vulnerabilities due to the lack of vulnerable code across all supported versions.
CVE-2017-3730 – Potential Denial of Service attack due to a NULL pointer dereference on a vulnerable client during a DHE/ECDHE key exchange.
CVE-2017-3732 – A carry propagating bug in the underlying BN_mod_exp method may produce incorrect results on x86_64 systems. DHE based ciphersuite negotiations are considered vulnerable.
CVE-2016-7055 – A carry propagating bug in Montgomery multiplication may produce incorrect results, potentially affecting ECDH key negotiations.
As always, Citrix remains committed towards ensuring security of its products. You can read more about our security practices here –
Get your NetScaler an A+ rating on SSL –