Jump to content
Updated Privacy Statement
  • Guest
    Diagrams and Poster: NetScaler ADC - nsconmsg Commands Cheat Sheet
    Contributed By: Gene Whitaker
    Special Thanks To: Adrianna Pellitteri
    Overview
    Nsconmsg operates on NetScaler ADC newnslog and is the most widely used tool for troubleshooting Citrix ADC issues. The following are some of the most important points to remember:
    Reads newnslog formatted log files and displays the data The newnslog files are located in the /var/nslog/ directory Common items viewed from a newnslog are: counter statistics, console messages, events, commands, feature specific output, and system stats Run the following command, in shell, to view all nsconmsg usage operations: # nsconmsg -h The nsconmsg cheat sheet provides you with the most commonly used commands for your reference.
    Use the following link to download NetScaler ADC nsconmsg Commands Cheat Sheet .
     

     

    Ricardo José Garrido Reichelt
    Within this article we want to proceed in showcasing some basic EPA (End Point Analysis) policies that we can implement within our organization to enhance security.
     
    Please do note that we will not necessarily get into the details on setting up pre or post authentication EPA policies, but more concentrate on the EPA policies itself.
     
    For reference here the short list and their setup that we will be describing in this blog entry:
    EPA for Operating System Patches (not the patch management) EPA for Operating System version EPA device certificate verification EPA Antivirus Check (Windows Defender as sample) EPA Registry check and CWA (Citrix Workspace Agent) verification EPA Registry check and CWA (Citrix Workspace Agent) verification with the use of NetScaler expressions  
    To be able to use EPA with Advanced Expressions we will look it up in the search box and click the search result (fastest operational approach).
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.8f149a03c8e87f565b73701e99efa4d8.jpg" data-ratio="34.43" width="970" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    EPA for Operating System Patches (not patch management)
     
    As indicated we will create a new EPA action in the EPA settings through the NetScaler admin user interface. Here it is advised to make use of the expression editor, as it will provide guidance and help for the creation of the corresponding rules.
     
    For this purpose we will go to:   EPA Editor >> Windows >> Windows Update >> + to proceed in making the configuration.
     
    In this case we have chosen that Security Updates and Service Packs should not be missing on the operating system the user is using to connect to the NetScaler.
     
    The corresponding rule would be the following one, which could also be copy/pasted into the box without using the EPA editor:
    sys.client_expr("sys_0_WIN-UPDATE_WIN-MISSED-PATCH_==_SECURITYUPDATES,SERVICEPACKS[COMMENT: Windows Update]")
     
    This external third party link shows a detailed list of the options in relation of the installed service packs that we can use for Windows Operating Systems: 
     
    Description of the standard terminology that is used to describe Microsoft software updates
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.5536699625a7d69d24e9f0b8ebbaa055.jpg" data-ratio="47.8" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    EPA for Operating System version
     
    With the following policy we do want to verify the Operating System version.
     
    For this purpose we either could use the "Windows" element, as it includes one configuration option, or even the "Common" option within the EPA Editor (first option). Note that for the purpose of this blog entry we have chosen the Windows menu as first configuration item.
     
    Windows >> Windows OS >> Select Operating System and edit desired minimum version
     
    Corresponding string:
    sys.client_expr("sys_0_WIN-OS_NAME_anyof_WIN-11_BUILD-NUM_==_22621[COMMENT: Windows OS]")
     
    Important:   Be careful when creating the logic = , || , && , <= , etc. as this is a source of common mistake during policy setup.
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.436a8dc19570f543ec2127ca73846e18.jpg" data-ratio="47.8" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
     
    EPA device certificate verification
     
    Before we do start please note some important things in relation to this policy:
    This policy relates to the verification of the device certificate check within a Windows machine. Due to this the EPA Plugin will have to be installed with administrative rights as it is required so by the operating system.  Also this is not a user certificate authentication for the user with a user certificate or smart card, which would be a different procedure. Additionally we will have to proceed in doing some additional changes to make this EPA policy work. The details are described in different documentations and KB articles. Without getting to much into detail, but to make this policy work you will need to:Virtual Gateway Server Basic Settings (more) Configure CA for device Certificate but do not activate the checkbox Certificate Configure Server Cert Configure CA Cert AAA Virtual Server Basic Settings Configure CA for device Certificate Now to the EPA policy itself it is quite simple:
     
    sys.client_expr("device-cert_0_0")
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.247714782cb649f412d839ca63d5dade.jpg" data-ratio="31.4" width="2067" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    EPA Antivirus Check (Windows Defender as sample)
     
    One commonly demanded check is the verification of a security element as could be an Anti Virus solution. In this case and for this specific example we have chosen Windows Defender, but a variety of other security solutions are supported and available.
     
    Note that for the purpose of this example we only have used the main version for detection.
    sys.client_expr("app_0_ANTIVIR_90_362_VERSION_>=_4.20[COMMENT: Windows Defender]")
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.736596be89f95a831298e93d2d7781c4.jpg" data-ratio="47.9" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
     
    EPA Registry check and CWA (Citrix Workspace Agent) verification
     
    With this entry we actually have mixed two interesting verifications, where with EPA we will verify the existence of a Windows Registry Key, but at the same time we also will be verifying the version of CWA (Citrix Workspace Agent).
    These Registry entries are used currently by CWA to provide uninstall information, yet the CWA version is reflected within those entries. As you can see the string used is quite long and we are also verifying two elements within the registry, which are a minor and a mayor version. As you can see both checks are bound with an "&&" operator:
     
    (sys.client_expr("sys_0_REG_PATH_==_HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\CitrixOnlinePluginPackWeb\\\\VersionMajor_VALUE_==_23[COMMENT: Registry]")) && (sys.client_expr("sys_0_REG_PATH_==_HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\CitrixOnlinePluginPackWeb\\\\VersionMinor_VALUE_>=_9[COMMENT: Registry]"))
     
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.375ea433ee98bd9bf5c45ec6e6fef7e6.jpg" data-ratio="131.71" width="861" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    EPA Registry check and CWA (Citrix Workspace Agent) verification with the use of NetScaler expressions
     
    As we have seen in the last example when using Registry Key EPA expressions it can get somehow complex from an expression point of view, especially if we wanted to make a more complex rule like V1 || V2 || V3, meaning the verification of different CWA (Citrix Workspace Application) versions. 
     
    To make it easier form an operational point of view we can make usage of the "Expressions" functionality within NetScaler.
     
    You have to navigate to:   App Expert >> Expressions >> Advanced Expressions
     
    It is highly recommended to make use of the Advanced and not the Classic expressions as those will be deprecated in upcoming versions.
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.f4f053722a66126e162ffaf24a7dd737.jpg" data-ratio="39.44" width="1316" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    Once we have our different versions set  as in this picture: 
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.febb22ab1e7817b7f5eccaead778692a.jpg" data-ratio="28.12" width="1316" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    We will proceed in creating our EPA Policy with the corresponding Expressions that we have created.
     

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.3b3f66a33a2b562b5f74c4736adf8177.jpg" data-ratio="98.91" width="641" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     

    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v118
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS.
    The most critical is CVE-2023-22518, an improper authorisation vulnerability in the setup-restore endpoints of Atlassian Confluence Data Center and Server. This vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. All versions of Confluence Data Center and Server are affected by this vulnerability. As part of Atlassian’s ongoing monitoring of this CVE, they observed publicly posted critical information about the vulnerability, increasing the risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances.
     Signatures included in v118:
    rule
    CVE ID
    Description
    998591
    CVE-2023-39968
    WEB-MISC Jupyter Server Prior to 2.7.2 - Open Redirect Vulnerability (CVE-2023-39968)
    998592
    CVE-2023-38743
    WEB-MISC Zoho ManageEngine ADManager Plus Prior to 7200 - Remote Code Execution Vulnerability (CVE-2023-38743)
    998593
    CVE-2023-22518
    WEB-MISC Confluence Data Center and Server Multiple Versions - Improper Authorization Vulnerability (CVE-2023-22518)
    998594
    CVE-2023-20890
    WEB-MISC VMware Aria Operations for Networks - Arbitrary File Write Vulnerability (CVE-2023-20890)
    998595
    CVE-2023-20889
    WEB-MISC VMware Aria Operations for Networks - Command Injection Vulnerability (CVE-2023-20889)
    998596
    CVE-2023-20273
    WEB-MISC Cisco IOS XE Software - Command Injection Vulnerability (CVE-2023-20273)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 118 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     

    Brian Huhn 2
    What is Content Switching and why does it matter?
     
    In this episode, Brian Huhn and Jason Poole are joined by CoreLayer's Co-Founder, Jan Tytgat. Together they will discuss the power of Content Switching and why making traffic management decisions based on the content of a request (rather than on its networking components) can be a real game changer.

    Guest
    Deployment Guide: Migrating Citrix ADM to Citrix ADM service
    May 4, 2021
    Author:  Arnaud Pain
    Overview
    In this document, you’ll discover how to migrate Citrix ADM (Application Delivery Management) on-premises to Citrix ADM service. Migrating to cloud resources modernizes your deployment, providing enhanced elasticity, scalability, and management.
    The guidance documented here is based on a deployment in a Citrix approved lab environment running on VMware vSphere Hypervisor. The initial and final deployments represent typical customer environments.
    Audience
    We’ve written this document for users who are
    Familiar with the administration of a Citrix ADM It’s also helpful if you know Citrix Cloud fundamentals and understand Citrix ADM service.
    Set up a basic Citrix Cloud environment
    For more information on onboarding process see the Getting Started section. During the initial configuration of the ADM service agent , you need to provide the Service URL and Activation Code that are provided during the initial configuration in Citrix Cloud.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.bdbf2782224d8a654e74e114c6a3a0c1.jpg" data-ratio="94.37" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Note:
    As we migrate from on-premises ADM, we do not need to continue the Agent configuration and can click Skip.
    Deploy ADM service agent
    More details can be found here.
    Download the agent image as instructed in Getting Started. Import the agent image file to VMware vSphere. From the Console, configure the initial network configuration options as show in the below example: /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.53f2478a87dc79419d89f5325ec6e589.jpg" data-ratio="30.63" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After completing the initial network configuration, save the configuration settings. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.8ca15ad5c9be081e5f5a9fe38a585431.jpg" data-ratio="22.12" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    When prompted, log on using the default (nsrecover/nsroot) credentials. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.aa7b9aa824cd57bd0c996f1064edbc61.jpg" data-ratio="17.03" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Run the script /mps/register_agent_cloud.py. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.b595724c0d1e0775583bb780c8960cb3.jpg" data-ratio="6.73" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enter the Service URL and the Activation Code that was provided in Citrix Cloud during initial configuration. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.2a7ee578d924f03f883ebd2ae7763e39.jpg" data-ratio="16.18" width="748" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    You are prompted to change ADM (Application Delivery Management) Agent default password. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.3628bce1d710e50ca2cccab4c04623e6.jpg" data-ratio="12.3" width="748" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After update of the Agent Password and successful registration, the agent will restart to complete the installation process. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.96b1fb9cc8703b9a4f79b03c2ff6441e.jpg" data-ratio="18.68" width="728" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Migrate to ADM service
    After the ADM service agent basic configuration is done, the next step is to upgrade the ADM to a Firmware that includes the script that will be used to migrate. You can migrate on-premises Citrix ADM 13.0 76.29 or a later version to Citrix Cloud. If your ADM has 12.1 or an earlier version, you must first upgrade to 13.0 76.29 or a later version and then migrate to Citrix Cloud. For more information, see the Upgrade section.
    Once your ADM is on the required version, you can start the process for the migration, the next step is to configure the on-premises ADM service agent.
    Configure ADM service agent
    To enable communications between Citrix ADC instances and Citrix ADM, you must configure an agent. Citrix ADM agents are, by default, automatically upgraded to latest build. You can also select a specific time for the agent upgrade. For more information, see Configuring agent upgrade settings.
    If your existing on-premises ADM, standalone or HA pair, has no on-premises agents configured, you must configure at least one agent for ADM service. If your existing on-premises ADM, standalone or HA pair, has configured with on-premises agents for multisite deployments, it is advised to configure the same number of agents for ADM service. For more information on configuring an agent, see the Getting Started section.
    Connect to Citrix Cloud. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.c52c8e7bc27e31f5b0587b9df1127fe4.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Home icon and select Identity and Access Management. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.17ac9574a346b0fc0caf5102443be7d2.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click API Access tab. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.60e13b7a313c60cdb29988c5ebaba24c.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Provide a name for Secure client and click Create Client. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.bf0bade687ced4a739205a4ab73d76bf.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Click Download. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.9b77241f5ce5030b78a67f6571072ad2.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    License
    If you use your on-premises ADM deployment as a Pooled license server for ADC instances, you will need, before the migration, to reallocate your licenses to ADM service. In fact, during the migration process, the ADC license configuration is updated to point to ADM service agent instead of your ADM on-premises.
    Connect to Citrix Cloud ADM service. Navigate to Networks > Licenses. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.9498df664c5db9a1761465a365619e8a.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Take not of your Host ID and go to https://www.mycitrix.com to reallocate your licenses. Ensure your licenses are present in ADM service before starting the migration.
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.77315d0c3fa1b430900ea9abf35023bb.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Migrate
    The secureclient.csv downloaded from previous steps needs to be uploaded to primary ADM. Copy the client ID and secret CSV file, for example, in the /var directory.
    Note:
    For an ADM HA pair, copy the CSV file in the primary node.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.29a740da472ef0da9769de19e5ff0c83.jpg" data-ratio="93.94" width="726" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    We recommend to updating to ADM 76.x or later builds as the migration scripts (servicemigrationtool.py and config_collect_onprem.py) are available as part of the build, available in /mps/scripts.
    Note:
    Ensure that the on-premises ADM has internet connectivity during migration.
    For an ADM HA pair, log on to the primary node.
    Using an SSH client, log on to the on-premises ADM. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.1b3a67f77a1c897c4faff360613f76da.jpg" data-ratio="8.31" width="734" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Enter in Shell Validate if the CSV file is present. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.26ab0b62362f0fcc9e5c192a8f62e307.jpg" data-ratio="14.65" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Run the following commands to complete the migration: 
    a. cd /mps/scripts
     
    b. python servicemigrationtool.py
     
    For example: python servicemigrationtool.py /var/secureclient.csv
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.11102c1408857d62dfe73c4dcf072e8c.jpg" data-ratio="2.97" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    After you run the script, it checks the prerequisites and then proceeds with the migration. The script first checks for the license availability. The following message is displayed only if you have lesser ADM service license than the on-premises license.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.2d93058834e28950fc0a2298a79a249d.jpg" data-ratio="46.07" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    If you select Y, the migration continues by licensing the VIP randomly. If you select N, the script stops the migration. If you have the unsupported ADC instance version for the pooled license server, the following message is displayed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.91f65d8e80d5f8c2d4346ee3bd9d74f9.jpg" data-ratio="59.03" width="620" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    If you select Y, the migration process continues by changing the license server. If you select N, the script prompts if you want to proceed with rest of the migration. The script stops the migration if you select N. If you have the supported ADC instance version for the pooled license server, the following message is displayed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.92e989a5cdecb104f04f344b28ab5351.jpg" data-ratio="54.25" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Note:
    You will only see above the Primary Node IP Address.
    If you select Y, the migration process continues by changing the license server. Depending upon the on-premises configuration, the approximate time for the migration to complete is between a few minutes and a few hours. After the migration is complete, you see the following message:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.d1daccb00efc5948f2b7b10b54c5d304.jpg" data-ratio="12.95" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    The migration is successful once all the ADC and SD-WAN WANOP instances and their respective configurations are successfully moved to ADM service.
    Validate
    After successful migration, the on-premises Citrix ADM stops processing the following instance events:
    SSL certificates Syslog messages Backup Agent cluster Performance reporting Configuration audit Emon scheduler
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.d18f9628a504f103a532a4f8ed4b94a4.jpg" data-ratio="19.32" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    You can connect to Citrix ADM service and ensure you see your ADC instance.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_11/image.jpg.36de88296d79d3faef6a88d182969bed.jpg" data-ratio="51.38" width="942" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     

    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v117
    (limited to CISCO XE Software)
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate the maximum severity CVSS 10 zero-day vulnerability in Cisco IOS XE (CVE-2023-20198) which  has been exploited in the wild.
    Cisco has issued a security advisory regarding multiple vulnerabilities in the web UI feature of Cisco IOS XE Software. The most critical vulnerability, CVE-2023-20198, allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then exploit another component of the web UI feature to elevate privilege to root and write the implant to the file system. Cisco has assigned a CVSS Score of 10.0 to CVE-2023-20198. The company is providing availability of Software Maintenance Upgrade (SMU) files and will update the advisory as additional releases post to Cisco Software Download Center. For steps to close the attack vector for these vulnerabilities, see the Recommendations section of Cisco's advisory. For protection until updating to latest version download and use v117 signature.
      Signatures included in v117:
    Signature rule
    CVE ID
    Description
    998597
    CVE-2023-20198
    WEB-MISC Cisco IOS XE Software - Authentication Bypass Vulnerability (CVE-2023-20198)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 117 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     

    Konstantinos Kaltsas
    Learn how to leverage WAF Policies for protecting your Applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create WAF policies and profiles. How to enable WAF policies on load balancing or content switching virtual server level. How to block or log malicious requests based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.

    Konstantinos Kaltsas
    Learn how to leverage basic Rewrite / Responder Policies for manipulating Requests and Responses. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create rewrite / responder policies. What is the difference between the two? How to bind a policy on a content switching server. How to manipulate an incoming request based on different criteria. How to redirect a request based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.

    Konstantinos Kaltsas
    Learn how to deploy & configure a Content Switching virtual server for routing traffic to your applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to deploy a content switching virtual server to route traffic to your apps. How to route traffic based on URL path How to route traffic based on HTTP Header values. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.

    Mayur Vadhar
    NetScaler CPX is a container-based application delivery controller that can be provisioned on a Docker host. NetScaler CPX enables customers to leverage Docker engine capabilities and use NetScaler load balancing and traffic management features for container-based applications. 
     
    In this hands-on lab, learn how to expose microservice application deployed in a Kubernetes Cluster using NetScaler CPX on an existing Kubernetes Cluster.
    The lab will demonstrate how to:
    Deploy a microservice Guestbook application on Kubernetes Deploy NetScaler CPX and expose it using NodePort service Expose Guestbook application via NetScaler CPX through HTTP Expose Guestbook application via NetScaler CPX through HTTPS Redirect incoming HTTP traffic to HTTPS for Guestbook application Click the Start hands-on Lab at the top of the post to try out !Let us know your feedback or any issues in the comments section.
     

×
×
  • Create New...