Description of Problem
The recently disclosed protocol flaw in SSLv3, referred to as CVE-2014-3566 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566) or POODLE, could expose some deployments that support SSLv3 to a risk of an active Man in the Middle (MITM) attack. A successful attack could lead to the disclosure of the information that is being sent over the encrypted channel.
Considering the mitigating factors described below, Citrix does not consider this to be a high risk vulnerability. However, Citrix recommends that customers review their usage of SSLv3 and take steps to reconfigure their deployments to remove support for SSLv3 where appropriate.
Customers should consider the following mitigating factors when assessing the risks posed by this issue:
- In order to exploit this issue, a network-based attacker would need to be in a position to inject selected plain text into the encrypted channel. A typical scenario would be where a malicious script running inside a web browser is able to send data through the SSLv3 encrypted channel. ??
- A typical exploit would require a relatively high volume of malicious traffic to extract a small quantity of data from the SSLv3 encrypted channel.
- Customers using deployments configured to be FIPS 140-2 compliant would typically not be affected by this issue as SSLv3 should not be enabled.
What Customers Should Do
The following sections provide guidance on configuring SSLv3 support for relevant Citrix products, additional sections will be added as our analysis progresses. Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative. Product documentation is available on the Citrix website at the following address:?? /proddocs/topic/infocenter/ic-how-to-use.html
Citrix NetScaler ADC and NetScaler Gateway
Customers should note that some scanning tools may report the TLS and DTLS Padding Validation Vulnerability described in CTX200378 as the “POODLE” or “TLS POODLE” vulnerability. If these issues are still being reported when SSLv3 has been disabled please refer to CTX200378 for guidance.
To disable SSLv3 on a specific vServer, run the following command from the NSCLI:
set ssl vserver <vservername> -ssl3 disabled
NetScaler Management Interfaces:
To disable SSLv3 on the NetScaler management interface, run the following commands from the NSCLI:
set ssl service nshttps-127.0.0.1-443 -ssl3 disabled
NetScaler Management Interfaces on the MIP/SNIP:
To disable SSLv3 on the MIP/SNIP, identify the internal service names by running the following command from the NSCLI for each IP address:
show service –internal | grep <IP>
SSLv3 can then be disabled for each IP address using the following NSCLI command:
set ssl service <internal service name for that ip> -ssl3 disabled
Note that, after these commands have been run, the NetScaler configuration should be saved with the NSCLI command "save config" so that the changes persist across appliance reboots. As with all configuration changes, Citrix recommends that these changes are validated within a test environment prior to deploying to a production environment.
Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative.
NetScaler Service Delivery Appliances
Customers using NetScaler Service Delivery Appliance service VM are affected by this vulnerability. To address this issue, customers should upgrade their Service Delivery Appliances to the following versions:
- 10.5 Build 54.9 and later
- 10.5 Build 54.9009.e and later
- 10.1 Build 131.1 and later
- 10.1 Build 130.1302.e and later
Customers using Command Center are affected by this vulnerability. To address this issue, customers should upgrade their Command Center deployment to the following versions:
- 5.2 Build 43.19 and later
- 5.1 Build 36.7 and later
Citrix Secure Gateway & SSL Relay
Information on how to configure supported versions of Citrix Secure Gateway can be found in the product documentation. This is available on the Citrix website at the following address:
It is possible to configure the protocol versions used by the internal SSL Relay component under the "Connection" tab of the configuration utility. Further information on this can be found in the product documentation at the following address:??
Citrix Web Interface & Storefront
Information on how to configure the use of cryptographic protocols on the underlying Microsoft web server can be found at the following location:
Customers wishing to configure their XenMobile Device Manager (XDM) deployments to prevent the use of SSLv3 can make the following changes:
- Open the XDM tomcat configuration file server.xml for editing. The default installation location is?? c:\program files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml??
- Add the following line to https connector. Note: The default ports for the https connector are 443 and 8443:
- Save the configuration file and restart XDM
Citrix CloudPortal Business Manager
Information on how to configure the use of cryptographic protocols on the underlying web server can be found at the following location:
Citrix SaaS Solutions
The following Citrix SaaS Solutions products are vulnerable to this issue:
- Citrix Labs Products (GoToMeet.me)
Citrix is actively working to address this issue and further information will be added to the document as it becomes available.
Citrix XenMobile and App Controller
A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:
Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.
Citrix XenMobile & App Controller 10 are not affected by this vulnerability
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x:?? A new version of VIAB, 5.4.5, has been released to address this issue. This can be found at the following address:?? https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address:?? https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html
In configurations where CloudPlatform has been configured to use HTTPS to provide secure communication to the management server, Citrix recommends that customers consider disabling SSLv3. Information on how to configure the underlying webserver to support TLS only can be found in the following article:?? http://support.ctx.org.cn/CTX132008.citrix
Citrix recommends that customers using affected versions of CloudPlatform update their SystemVM ISOs and upgrade their system and router virtual machine templates to the latest version. Information on how to obtain and carry out these updates can be found in the following articles:
- Updating the CloudPlatform SystemVM ISO:?? https://support.citrix.comhttp://support.ctx.org.cn/CTX200459.citrix
- Upgrading CloudPlatform system and router virtual machine templates:?? https://support.citrix.comhttp://support.ctx.org.cn/CTX200024.citrix
License Server for Windows:
When configured to use SSL,?? the License Server for Windows is impacted by this vulnerability. To disable SSLv3 on License Server for Windows, please see the following article: https://support.citrix.comhttp://support.ctx.org.cn/CTX200265.citrix
License Server VPX:
SSLv3 is disabled in version 11.12.1 and later of the License Server VPX. Citrix recommends that customers upgrade to version 11.12.1 and later to address this issue. This version can be found at the following address: http://www.citrix.com/downloads/licensing.html
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at?? /.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at?? http://www.citrix.com/site/ss/supportContacts.asp.??
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 –?? Reporting Security Issues to Citrix
|October 15th 2014||Initial bulletin published|
|October 16th 2014||Secure Gateway configuration added|
|October 20th 2014||SSL Relay, Web Interface/Storefront and XenMobile configuration added|
|November 7th 2014||CloudPortal Business Manager section added|
|November 13th 2014||SaaS Solutions section added|
|February 2nd 2015||XenMobile App Controller section added|
|February 25th 2015||Addition of VDI-In-A-Box section|
|March 4th 2015||Addition of CloudPlatform section, change to XenMobile section|
|March 18th 2015||VDI-In-A-Box section updated|
|April 8th 2015||Update to Secure Gateway & SSL Relay section|
|April 28th 2015||Update to NetScaler section|
|May 21st 2015||Addition of Licensing section|
|July 7th 2015||Update to SaaS Solutions section|
|September 1st 2015||Update to NetScaler section|
|September 8th 2015||Addition of Command Center section|
|March 22nd 2016||Updated link in Citrix Secure Gateway & SSL Relay section|