Security Advisory
A safe, secure, and resilient infrastructure is the lifeline of any organization. Organizations must track new Common Vulnerabilities and Exposures (CVEs), and assess the impact of CVEs on their infrastructure. They must also understand and plan the remediation to resolve the vulnerabilities. The Security Advisory feature in NetScaler Console enables you to identify the CVEs putting your NetScaler instances at risk and recommends remediations. NetScaler Console security advisory highlights:
-
Common Vulnerabilities and Exposures (CVEs) detection and remediation - Enables you to identify the CVEs putting your NetScaler instances at risk and recommends remediations.
-
File Integrity Monitoring - Enables you to identify if any changes or additions have been made to your NetScaler build files.
As an administrator, you must ensure to:
-
Track any new Common Vulnerabilities and Exposures (CVEs), assess the impact of CVEs, understand the remediation, and resolve the vulnerabilities.
-
Examine the integrity of your NetScaler build files.
In NetScaler Console on-prem 25.x and later builds, Security Advisory is automatically enabled by default.
Points to note:
-
File integrity is supported from 14.1-34.x and later builds. the file integrity monitoring is enabled through the NetScaler telemetry automated mode with all prerequisites met. For more information, see Automated telemetry collection mode. If any prerequisite is not met, the File Integrity Monitoring tab is not displayed in Security Advisory.
-
New CVE updates are synchronized automatically through the auto-enabled channel.
-
Optional telemetry is collected when you enable Security Advisory. The recommendation is to enable Security Advisory to view the latest CVE updates. However, you can also disable the optional parameters. To disable, you must first disable Security Advisory in the NetScaler Telemetry page, then navigate to Settings > Administration > Enable or disable the Console feature data sharing, and clear the I agree to share Console feature usage data checkbox.
-
If you notice a banner in the Security Advisory page mentioning about new CVE updates are not synchronized, check for the following issues in the NetScaler telemetry in Console on-prem GUI:
- Security Advisory is disabled
- Manual mode of telemetry collection is enabled
- The endpoint URLs are not reachable
- Upload has failed through auto-enabled channel
The following table provides details about the Security Advisory feature availability in different NetScaler Console on-prem builds:
Build | Security Advisory feature availability | Action required | Data collection |
---|---|---|---|
14.1-25.x or later | Security Advisory is enabled by default | Ensure that the telemetry collection mode is in Automated mode and Security Advisory is enabled, and the prerequisite URLs are reachable. | Yes. Both required and optional parameters are collected through the NetScaler telemetry program. |
Between 14.1-8.x and 14.1-21.x | Security Advisory is enabled through Cloud Connect. | Configure Cloud Connect and enable Security Advisory. | Yes. After configuring Cloud Connect. |
14.1-4.x or earlier | Security Advisory is available only in Preview mode. | No action required | No |
Security advisory features
The following security advisory features help you protect your infrastructure:
CVEs:
Features | Description |
---|---|
System scan | Scans all managed instances by default once a week. NetScaler Console decides the date and time of system scans, and you cannot change them. |
On-demand scan | You can manually scan the instances when required. If the time elapsed after the last system scan is significant, you can run an on-demand scan to assess the current security posture. Or scan after a remediation has been applied, to assess the revised posture. |
CVE impact analysis | Shows the results of all CVEs impacting your infrastructure and all the NetScaler instances getting impacted and suggests remediation. Use this information to apply remediation to fix security risks. |
Scan Log | Stores the copies of the last five scans. You can download these reports in CSV and PDF formats, and analyze them. |
CVE repository | Gives a detailed view of all the NetScaler related CVEs that Citrix has announced since Dec 2019, that might impact your NetScaler infrastructure. You can use this view to understand the CVEs in the security advisory scope and to learn more about the CVE. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory. |
File Integrity Monitoring:
Features | Description |
---|---|
On-demand scan | You must run an on-demand scan to get results on any file changes detected in NetScaler build files. |
File integrity monitoring scan | Compares the binary hash value of your current NetScaler build files against the original binary hash and highlights if there are any file alterations or file additions. You can view the scan results under the File Integrity Monitoring tab. |
Points to note
-
Security Advisory does not support NetScaler builds that have reached End of Life (EOL). We recommend you upgrade to the NetScaler supported builds or versions.
-
Instances supported for CVE detection: all NetScaler (SDX, MPX, VPX) and Gateway.
-
Instances supported for File Integrity Monitoring: MPX, VPX instances, and Gateway.
-
CVEs supported: All CVEs after Dec 2019.
Note:
The detection and remediation of vulnerabilities impacting the NetScaler Gateway plug-in for Windows is not supported by the NetScaler Console Security Advisory. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory.
-
NetScaler Console security advisory doesn’t account for any kind of feature misconfiguration while identifying the vulnerability.
-
NetScaler Console security advisory only supports the identification and remediation of the CVEs. It does not support identification and remediation of the security concerns that are highlighted in the Security article.
-
Scope of NetScaler, Gateway releases: The feature is limited to main builds. Security advisory does not include any special build in its scope.
- Security advisory is not supported in Admin partition.
-
The following types of scan are available for CVEs:
-
Version scan: This scan needs NetScaler Console to compare the version of an NetScaler instance with the versions and builds on which the fix is available. This version comparison helps NetScaler Console security advisory identify whether the NetScaler is vulnerable to the CVE. For example, if a CVE is fixed on an NetScaler release and build xx.yy, security advisory considers all the NetScaler instances on builds lesser than xx.yy as vulnerable. Version scan is supported today in security advisory.
-
Config scan: This scan needs NetScaler Console to match a pattern specific to the CVE scan with NetScaler config file (nsconf). If the specific config pattern is present in the NetScaler ns.conf file, the instance is considered vulnerable for that CVE. This scan is typically used with version scan. Config scan is supported today in security advisory.
-
Custom scan: This scan needs NetScaler Console to connect with the managed NetScaler instance, push a script to it, and run the script. The script output helps NetScaler Console identify whether the NetScaler is vulnerable to the CVE. Examples include specific shell command output, specific CLI command output, certain logs, and existence or content of certain directories or files. Security Advisory also uses custom scans for multiple config patterns matches, if config scan cannot help with the same. For CVEs that require custom scans, the script runs every time your scheduled or on-demand scan runs. Learn more about the data collected and options for specific custom scans in the Security Advisory documentation for that CVE.
-
-
The following scan is available for File Integrity Monitoring:
-
File Integrity Monitoring scan: This scan needs the NetScaler Console to connect with the managed NetScaler instance. NetScaler Console does a comparison of the hash values by running a script in NetScaler and collecting the current binary hash values for the NetScaler build files. After the comparison, NetScaler Console provides the result with total number of existing files modified and total number of newly added files. As an administrator, you can contact your organization digital forensics for further investigations on the scan results.
The following files are scanned:
-
/netscaler
-
/bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin
-
/lib, /libexec, /usr/lib, /usr/libexec, /usr/local/lib, /usr/lib32, /compat
-
/etc
-
The rest of
/usr
-
/root, /home, /mnt
-
-
-
Scans do not impact production traffic on NetScaler and do not alter any NetScaler configuration on NetScaler.
-
NetScaler Console Security Advisory does not support CVE mitigation. If you have applied mitigation (temporary workaround) to the NetScaler instance, NetScaler Console will still identify the NetScaler as a vulnerable NetScaler until you have completed remediation.
-
For the FIPS instances, the CVE scan is not supported, but the File Integrity Monitoring scan is supported.
-
Some file changes might occur as part of the normal operation of the device, while others might warrant further investigation. When reviewing file changes, the following might be helpful:
-
Changes in the
/netscaler
directory (in .html and .js files) might occur from the use of scripts or plug-ins. -
The
/etc
directory includes configuration files that might get changed by unexpected intervention after booting the system. -
It would be unusual if there are:
-
Reports in the
/bin
,/sbin
, or/lib
directories -
New .php files in the
/netscaler
directory
-
-
How to use the security advisory dashboard
To access the Security Advisory dashboard, from the NetScaler Console GUI, navigate to Infrastructure > Instance Advisory > Security Advisory.
The dashboard includes three tabs:
-
Current CVEs
-
File Integrity Monitoring
-
Scan Log
-
CVE Repository
Important:
In the Security Advisory GUI or report, all CVEs might not appear, and you might only see one CVE. As a workaround, click Scan Now to run an on-demand scan. After the scan is complete, all the CVEs in scope (approximately 15) appear in the UI or report.
On the upper-right corner of the dashboard is the settings icon, which allows you to:
-
Enable and disable notifications (applicable only for CVEs).
You can receive the following notifications for CVEs impact.
-
Email, Slack, PagerDuty, and ServiceNow notifications for CVE scan result changes and new CVEs that are added in CVE repository.
-
Cloud notification for CVE impact scan result changes.
-
-
Configure Custom Scan Settings (applicable only for CVEs)
You can click the Custom Scan Settings list to view the additional settings checkbox. You have the option of selecting the checkbox and opt out of these CVE Custom scans. The impact of the CVEs that need a custom scan will not be evaluated for your NetScaler instances in the Security Advisory.
Current CVEs
This tab shows the number of CVEs impacting your instances and also the instances that are impacted by CVEs. The tabs are not sequential, and as an admin, you can switch between these tabs depending on your use case.
The table showing the number of CVEs impacting the NetScaler instances has the following details.
CVE ID: The ID of the CVE impacting the instances.
Publication date: The date the security bulletin was released for that CVE.
Severity score: The severity type (high/medium/critical) and score. To see the score, hover over the severity type.
Vulnerability type: The type of vulnerability for this CVE.
Affected NetScaler instances: The instance count that the CVE ID is impacting. On hover over, the list of NetScaler instances appears.
Remediation: The available remediations, which are upgrading the instance (usually) or applying config packs.
The same instance can be impacted by multiple CVEs. This table helps you see how many instances one particular CVE or multiple selected CVEs are impacting. To check the IP address of the impacted instance, hover over NetScaler Details under Affected NetScaler Instances. To check the details of the impacted instance, click View Affected Instances at the bottom of the table. You can also add or remove columns in the table by clicking the plus sign.
In this screen the number of CVEs impacting your instances is 3 CVEs and the instances that are impacted by these CVEs is one.
The <number of>
NetScaler instances are impacted by CVEs tab shows you all the affected NetScaler Console NetScaler instances. The table shows the following details:
- NetScaler IP address
- Host name
- NetScaler model number
- State of the NetScaler
- Software version and build
- List of CVEs impacting the NetScaler.
You can add or remove any of these columns according to your need, by clicking the + sign.
To fix the vulnerability issue, select the NetScaler instance and apply the recommended remediation. Most of the CVEs need upgrade as a remediation, while others need upgrade and an additional step as remediation.
-
For CVE-2020-8300 remediation, see Remediate vulnerabilities for CVE-2020-8300.
-
For CVE-2021-22927 and CVE-2021-22920, see Remediate vulnerabilities for CVE-2021-22927 and CVE-2021-22920.
-
For CVE CVE-2021-22956, see Identify and remediate vulnerabilities for CVE-2021-22956
-
For CVE CVE-2022-27509, see Remediate vulnerabilities for CVE-2022-27509
Note
If your NetScaler instances have customizations, see Upgrade considerations for customized NetScaler configurations before planning NetScaler upgrade.
Upgrade: You can upgrade the vulnerable NetScaler instances to a release and build that has the fix. This detail can be seen in the remediation column. To upgrade, select the instance and then click Proceed to upgrade workflow. In the upgrade workflow, the vulnerable NetScaler is auto-populated as the target NetScaler.
Note
The releases 12.0, 11,0, 10.5 and lower are already end of life (EOL). If your NetScaler instances are running on any of these releases, upgrade to a supported release.
The upgrade workflow starts. For more information on how to use NetScaler Console to upgrade NetScaler instances, see Use jobs to upgrade NetScaler instances.
Note
The release and build to which you want to upgrade is at your discretion. See the advice under the remediation column to know which release and builds have the security fix. And accordingly select a supported release and build, which has not reached end of life yet.
File Integrity Monitoring
This tab shows the File Integrity Monitoring scan result with NetScaler instances that have any alterations or additions to the original NetScaler build files.
The following example shows the scan result for two impacted NetScaler instances with existing files modified and new files added to the original build files.
Click the numbers under Existing files modified and New files added to view details.
Scan Log (applicable only for CVEs)
The tab shows reports of the last five CVE scans, which include both default system scans and on-demand user-initiated scans. You can download the report of each scan in CSV and PDF formats. If an on-demand scan is in progress, you can also see the completion status.
CVE Repository
This tab includes the latest information of all CVEs from December 2019, along with the following details:
- CVE IDs
- Vulnerability type
- Publication date
- Severity level
- Remediation
-
Links to security bulletins
Scan Now
You can scan the instances anytime, according to your need.
Click Scan Now to scan for CVEs that are impacting your NetScaler instances. Once the scanning is complete, the revised security details appear in the security advisory GUI.
NetScaler Console takes a few minutes to complete the scan.
Notification (applicable only for CVEs)
As an admin, you receive Citrix Cloud notifications, which tell how many NetScaler instances are vulnerable with CVEs. To see the notifications, click the bell icon on the upper-right corner of the NetScaler Console GUI.
Disclaimer:
Please note that NetScaler File Integrity Monitoring (“the Feature”) is not capable of detecting all techniques, tactics, or procedures (TTPs) threat actors may use when targeting relevant environments. Threat actors change TTPs and infrastructure frequently, and therefore the Feature may be of limited to no forensic value as to certain threats. You are strongly advised to retain the services of experienced forensic investigators to assess your environment in connection with any possible threat.
This document and the information contained in it is provided as-is. Cloud Software Group, Inc. makes no warranties or representations, whether express or implied, regarding the document or its contents, including, without limitation, that this document or the information contained in it, is error-free or meets any conditions of merchantability or fitness for a particular purpose.