November has started with the announcement of a high security OpenSSL vulnerability. OpenSSL has released a blog post that provides more detail, and OpenSSL versions 3.0.0 through 3.0.6 are the ones to watch out for. Now that everyone is hopefully in the process of remediating their systems, let’s discuss how NetScaler can help.
What Happened?
There are two buffer overflow vulnerabilities identified by OpenSSL in the November 1 advisory:
- CVE-2022-3602: X.509 certificate email address 4-byte buffer overflow
- CVE-2022-3786: X.509 certificate email address variable length buffer overflow
This vulnerability was initially categorized as a CRITICAL vulnerability, but further investigation led it to be downgraded to HIGH. This can be triggered by a TLS server requesting a client certificate for authentication and a malicious client submits a specially crafted certificate. The recommended fixes for this vulnerability are to upgrade to version 3.0.7 of OpenSSL, or as a workaround, disable client certificate authentication.
Is NetScaler Impacted?
Currently, there are no affected OpenSSL libraries on any of these NetScaler products, including MPX hardware, SDX guest images including SVM, lights-out management on hardware appliances, VPX images, or ADM on-prem and ADM agent.
How NetScaler Can Help
In order for an attacker to exploit this vulnerability on your servers, they need to provide a specially crafted client certificate with a malformed email address field.
This will only be successful against servers that are configured for client certificate authentication. For these services, NetScaler can mitigate the risk from this vulnerability while still allowing users the convenience of logging on with a client certificate.
Simply proxying the connection through NetScaler provides a mitigation for systems that are running the vulnerable library.
Applications that are configured to use client certificate authentication will be the highest priority to get patched. If they cannot be patched, NetScaler can provide a “virtual patch” to protect them.
Recommendations
For more information on configuring client certificate authentication on NetScaler, please review the product documentation.
Patches and Mitigations
Citrix strongly recommends that customers apply patches from respective vendors as soon as they are made available. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).