Jump to content
Welcome to our new Citrix community!

CVE-2019-19781 Remediation on Netscaler 10.1


Graham Smart

Recommended Posts

Hi all,

 

I'm trying to remediate this vulnerability for one of our clients, and have discovered they're still on version 10.1...  When I run the commands it works up to:

 

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

 

which reports that nsapimgr_wr.sh is not found.  I'm assuming that is because they're still on such an old version?  Is there a version of the remediation that I can use on this, or is the only option to update to the latest version?

 

Many thanks

Graham

Whitmore.PNG

Link to comment
Share on other sites

Hi Graham,

 

I'm not too familiar with NetScaler 10.1, but I know that some components are really different for versions before 10.5.

As it is EOL, you will have no support for it, so I would highly recommend you to upgrade to a supported version.

 

10.5 is still supported if you don't want to do several bug upgrades back to back. However if you can, I would highly recommend you to upgrade to 12.1 when the fix for this vulnerability is released.

 

I don't think any mitigation steps were provided by us for 10.1, but as 10.5 is supported and affected, the mitigation steps provided should work on it.

  • Like 2
Link to comment
Share on other sites

It's a clients device (2 as they have a HA pair) (I work for an MSP) so we can recommend an upgrade - maybe we can sell them that we'll perform the upgrade!  :)

 

It's an old NSMPX-5500.  I can't see that listed in the affected devices so is it too old to have this vulnerability?

Link to comment
Share on other sites

I'm not very familiar with the upgrade process from 10.1, but the software is affected, it does not depend on your hardware.

 

Depending on what the NetScaler is doing on your network it might be complicated to upgrade. If it's basic load balancing it should be fine, but for example it's gonna be hard to make the policies to work on 12.1 for example.

 

Also, keep in mind that 11.0 is already EOL so I would recommend using 12.1 if possible.

Please take a look at our best practices and take your time in the upgrade process. No version has reached EOL yet besides 11.0 and 10.1 so you can stay on those for some time if you need to tweak some things here and there.

Link to comment
Share on other sites

Hi Graham,

 

I'm not too familiar with NetScaler 10.1, but for this command to work please try to enter shell first and then once you entered to shell mode, then enter the rest command.

root@ns#nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0

 

Thanks

Dinesh K

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...