CVE Detection
NetScaler detects CVEs by scanning instance versions, configurations, and system files to identify vulnerabilities. It uses an updated CVE repository and provides detailed impact analysis and remediation suggestions.
The CVE Detection section in the Security Advisory dashboard lists the following:
- Number of CVEs detected
- Number of NetScaler instances impacted
- Date when the last scan was run
- Impacted NetScaler instances categorized under Critical, High, Medium, and Low severity
As an administrator, you can allow NetScaler to run the system scans that are scheduled periodically or you can choose to run on-demand scans based on your need.
- System scan - Scans all managed instances by default. NetScaler Console decides the date and time of system scans, and you cannot change them.
- On-demand scan - You can manually scan the instances when required. If the time elapsed after the last system scan is significant, you can run an on-demand scan to assess the current security posture. Or scan after a remediation has been applied, to assess the revised posture. To run the on-demand scan, click Scan now on the secuirty advisory.
You can click the CVE Detection section to view detailed information.
The CVE Detection section has two views:
- Instance view
- CVE view
Instance view
The instance view contains Impacted Instances and CVE Repository tabs.
The Impacted Instances tab displays the list of impacted NetScaler instances.
The impacted instances are categorized based on the following form factors:
- MPX and VPX
- SDX
- CPX
- BLX
You can also search the instances based on the following:
- CVE Detected
- Host Name
- Model
- NetScaler Instance
- State
The table shows the following details:
- NetScaler IP address
- Host name
- NetScaler model number
- State of the NetScaler
- Software version and build
- List of CVEs impacting the NetScaler.
Most of the CVEs need upgrade as a remediation, while others need upgrade and an additional step as remediation.
-
For CVE-2020-8300 remediation, see Remediate vulnerabilities for CVE-2020-8300.
-
For CVE-2021-22927 and CVE-2021-22920, see Remediate vulnerabilities for CVE-2021-22927 and CVE-2021-22920.
-
For CVE CVE-2021-22956, see Identify and remediate vulnerabilities for CVE-2021-22956
-
For CVE CVE-2022-27509, see Remediate vulnerabilities for CVE-2022-27509
Note
If your NetScaler instances have customizations, see Upgrade considerations for customized NetScaler configurations before planning NetScaler upgrade.
You can upgrade the vulnerable NetScaler instances to a release and build that has the fix. To upgrade, perform one of the following:
- Upgrade workflow - Select an instance and click Proceed to upgrade workflow.
- Configuration job workflow - Select an instance and click Configuration job workflow.
The upgrade workflow starts and the vulnerable NetScaler is auto-populated as the target NetScaler. For more information on how to use NetScaler Console to upgrade NetScaler instances, see Use jobs to upgrade NetScaler instances.
Note:
The releases 13.0, 12.1, 12.0, 11.0, 10.5, and lower are already end of life (EOL). If your NetScaler instances are running on any of these releases, upgrade to a supported release.
The release and build to which you want to upgrade is at your discretion. See the advice under the remediation column to know which release and builds have the security fix. And accordingly select a supported release and build, which has not reached end of life yet.
To switch to CVE view, click Switch to CVE View.
CVE view
The CVE view displays the results of all CVEs impacting your infrastructure and all the NetScaler instances getting impacted and suggests remediation. You can use this information to apply remediation to fix security risks.
The table showing the number of CVEs impacting the NetScaler instances has the following details.
-
CVE ID: The ID of the CVE that impacts the instances.
-
Publication date: The date the security bulletin was released for that CVE.
-
Severity score: The severity type (high/medium/critical) and score. To see the score, hover over the severity type.
-
Vulnerability type: The type of vulnerability for this CVE.
-
Affected NetScaler instances: The instance count that the CVE ID is impacting. On hover over, the list of NetScaler instances appears.
-
Remediation: The available remediations, which are upgrading the instance (usually) or applying configuration packs.
The same instance can be impacted by multiple CVEs. This table helps you see how many instances one particular CVE or multiple selected CVEs are impacting. To check the IP address of the impacted instance, hover over NetScaler Details under Affected NetScaler Instances. To check the details of the impacted instance, click View Affected Instances at the bottom of the table. You can also add or remove columns in the table by clicking the plus sign.
CVE repository
Both instance view and CVE view contain the CVE Repository tab. This tab gives a detailed view of all the NetScaler related CVEs that Citrix has announced since Dec 2019, that might impact your NetScaler infrastructure.
- CVE IDs
- Vulnerability type
- Publication date
- Severity level
- Remediation
- Links to security bulletins
You can use this view to understand the CVEs in the security advisory scope and to learn more about the CVE. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory.
Points to note
-
Security Advisory does not support NetScaler builds that have reached End of Life (EOL). We recommend you upgrade to the NetScaler supported builds or versions.
-
Instances supported for CVE detection: all NetScaler (SDX, MPX, VPX) and Gateway.
-
Instances supported for File Integrity Monitoring: MPX, VPX instances, and Gateway.
-
CVEs supported: All CVEs after Dec 2019.
Note:
The detection and remediation of vulnerabilities impacting the NetScaler Gateway plug-in for Windows is not supported by the NetScaler Console Security Advisory. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory.
-
NetScaler Console security advisory doesn’t account for any kind of feature misconfiguration while identifying the vulnerability.
-
NetScaler Console security advisory only supports the identification and remediation of the CVEs. It does not support identification and remediation of the security concerns that are highlighted in the Security article.
-
Scope of NetScaler, Gateway releases: The feature is limited to main builds. Security advisory does not include any special build in its scope.
- Security advisory is not supported in the Admin partition.
-
The following types of scan are available for CVEs:
-
Version scan: This scan needs NetScaler Console to compare the version of an NetScaler instance with the versions and builds on which the fix is available. This version comparison helps NetScaler Console security advisory identify whether the NetScaler is vulnerable to the CVE. For example, if a CVE is fixed on an NetScaler release and build xx.yy, the security advisory considers all the NetScaler instances on builds lesser than xx.yy as vulnerable. Version scan is supported today in security advisory.
-
Config scan: This scan needs NetScaler Console to match a pattern specific to the CVE scan with NetScaler config file (
nsconf
). If the specific config pattern is present in the NetScaler ns.conf file, the instance is considered vulnerable for that CVE. This scan is typically used with version scan. Config scan is supported today in security advisory. -
Custom scan: This scan needs NetScaler Console to connect with the managed NetScaler instance, push a script to it, and run the script. The script output helps NetScaler Console identify whether the NetScaler is vulnerable to the CVE. Examples include specific shell command output, specific CLI command output, certain logs, and the existence or content of certain directories or files. For CVEs that require custom scans, the script runs every time your scheduled or on-demand scan runs. Learn more about the data collected and options for specific custom scans in the Security Advisory documentation for that CVE.
-
-
Scans do not impact production traffic on NetScaler and do not alter any NetScaler configuration on NetScaler.
-
NetScaler Console Security Advisory does not support CVE mitigation. If you have applied mitigation (temporary workaround) to the NetScaler instance, the NetScaler Console still identifies the NetScaler as a vulnerable NetScaler until you have completed remediation.
-
For the FIPS instances, the CVE scan is not supported.