SEC Consult Vulnerability Lab Security Advisory < 20131003-0 >
=======================================================================
              title: nsconfigd NSRPC_REMOTECMD Denial of service vulnerability
            product: Citrix NetScaler
 vulnerable version: NetScaler 10.0 (Build <76.7)
      fixed version: NetScaler 10.0 (Build >=76.7)
       not affected: NetScaler 10.1 and 9.3
             impact: Critical
           homepage: http://www.citrix.com
              found: 2012-12-10
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
"Citrix NetScaler helps organizations build enterprise cloud networks that
embody the characteristics and capabilities that define public cloud services,
such as elasticity, expandability and simplicity. NetScaler brings to
enterprise IT leaders multiple advanced technologies that were previously
available only to large public cloud providers."

"As an undisputed leader of service and application delivery, Citrix NetScaler
solutions are deployed in thousands of networks around the globe to optimize,
secure and control the delivery of all enterprise and cloud services. They 
deliver 100 percent application availability, application and database server
offload, acceleration and advanced attack protection. Deployed directly in
front of web and database servers, NetScaler solutions combine high-speed load
balancing and content switching, http compression, content caching, SSL
acceleration, application flow visibility and a powerful application firewall
into a single, easy-to-use platform."

URL: http://www.citrix.com/products/netscaler-application-delivery-controller/overview.html


Vulnerability overview/description:
-----------------------------------
A vulnerability was found in the nsconfigd daemon (TCP port 3008 (SSL) and
3010). This daemon can be crashed by sending a specially crafted message.
No prior authentication is necessary. A watchdog daemon (pitboss) automatically
restarts nsconfigd after the first six crashes and then reboots the appliance.
By sending just a few packets the appliance can be kept in a constant reboot
loop resulting in total loss of availability. 


Proof of concept:
-----------------
The nsconfigd daemon can be crashed for six times using the following Python
script. Subsequently the appliance reboots.

Detailed proof of concept exploits have been removed for this vulnerability.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Citrix NetScaler VPX (Build
70.7.nc), which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2013-03-27: Contacting vendor through secure@citrix.com.
2013-03-28: Vendor provides encryption key.
2013-03-28: Sending advisory via secure channel.
2013-03-28: Vendor confirms receipt of advisory.
2013-04-08: Requesting status update.
2013-04-19: Requesting status update (again).
2013-04-22: Vendor confirms issues, is "in the process of scheduling required
            changes".
2013-06-05: Requesting status update.
2013-06-25: Requesting status update (again).
2013-06-25: Vendor is still "in the process of scheduling changes".
2013-08-14: Requesting status update (again) and setting deadline (Oct. 3rd).
2013-09-18: Vendor provides release dates for the update (Oct. 1st and 2nd).
2013-10-03: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to Citrix NetScaler 10.0 Build 76.7.

Vendor information can be found at:
http://support.citrix.com/article/ctx139017


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2013