back to article Nothing to see here, folks, literally... Citrix mysteriously pulls NetScaler downloads

Citrix has temporarily suspended its NetScaler downloads due to an unspecified, and possibly security-related, issue. In an advisory to customers on Monday, and updated on Wednesday, Citrix outlined the affected software builds and promised that downloads should be restored by Monday, September 25. One version of note, seen by …

  1. J. Cook Silver badge

    Um...

    Cisco != Citrix. There's nothing in the CCleaner compromise that references citrix or netscaler.

    Granted, Citrix seems to be having their own problems, as the article mentions...

    1. Snowy Silver badge
      Alert

      Re: Um...

      I think the idea is the CCleaner compromise was used to compromise some Cisco's system. Which in turn allowed NetScaler downloads to be compromised.

  2. Anonymous Coward
    Anonymous Coward

    Apache Optionsbleed

    If I was a betting man, my money would be on this being related to the Apache Options bleed vulnerability. The builds were pulled on the same day this was announced to the world.

    1. vbwilliams13

      Re: Apache Optionsbleed

      My wager is this "feature":

      https://support.citrix.com/article/CTX227241

      The listed solution actually isn't one. We've seen a use case where we'd have to delete all valid certs before installing another. So right now if you upgrade to 11.1.55 or later, none of the builds recognize any certificates with this condition = none of your sh*t works after the required reboot.

      We ran into it and had to forcefully downgrade to unaffected version that happened to be still on our netscalers. Completely stupid but critical issue. And more importantly the customer has 0 control over the CA or certificate properties.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apache Optionsbleed

        Possibly, but I don't think an issue like this would result in a "pull ALL builds" response, especially as they have pulled everything from 10.1 onwards and Cloudbridge/NS SDWAN builds as well.

        This smells like a security issue, and is co-incidental with the options bleed announcement.

        Guess we will find out which of us is out of pocket on Monday.

        1. vbwilliams13

          Re: Apache Optionsbleed

          You're probably right. I can tell you that optionsbleed has already ruined my weekend.

          1. Anonymous Coward
            Anonymous Coward

            Re: Apache Optionsbleed

            The more I think about this after looking at the recommended actions in the updated KB article, the more I think it is far more serious than just Apache options bleed. I think this is more likely to be an easily exploitable vulnerability in the management interface.

            If it was options bleed, Citrix would have issued an advisory, but I don't think they would have pulled all the builds. This is more serious and the timing is co-incidental.

  3. Anonymous Coward
    Anonymous Coward

    Uh oh...

    https://support.citrix.com/article/CTX227928

    CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

    Exposing the management interface is against all best practices, but it also happens...a lot...especially in Azure.

  4. Gis Bun

    Updated builds that supposedly fix the issue are available.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021