Jump to content
Welcome to our new Citrix community!

Citrix ADC vulnerability CTX330728


Recommended Posts

Hi all:

 

I have a question. If I have deployed a Citrix ADC with Citrix Gateway deployed only as ICA Proxy mode (external access to CVAD), no VPN mode,  does this vulnerability affect these kind of deploys? This is because the report says  that are affected VPN (Gateway) or AAA virtual server.

 

Thank you and best regards,

Link to comment
Share on other sites

Are there any issues in changing this settings and should we reboot the NS after the change? Has anyone seen any issues already?

 

Remediation configuration 

1.    Log on to the appliance via SSH. Enter “shell” and then press ENTER to open the Shell prompt.  

2.     At the Shell prompt, run the following command. 

# nsapimgr_wr.sh -ys maxclientForHttpdInternalService=<val> 

The value used in remediation must match the value configured for “MaxClients” in the httpd.conf file. 

For example, nsapimgr_wr.sh -ys maxclientForHttpdInternalService=30 if “MaxClients” in the httpd.conf is 30. 

3.     To persist the command across reboot of the appliance, the command must be added to the rc.netscaler startup file. 

touch /nsconfig/rc.netscaler  chmod a+x /nsconfig/rc.netscaler  echo "nsapimgr_wr.sh -ys maxclientForHttpdInternalService=30" >> /nsconfig/rc.netscaler

 

Link to comment
Share on other sites

17 hours ago, Carl Stalhood1709151912 said:

The first command changes it immediately.

 

The second command sets up the computer startup script to run the command again whenever ADC reboots.

 

Thanks Carl. Where do you get the time to answer all these questions as well as do your work. Your great!  So, what does this really do in case of denial of service attacks. I would like to know what this does and how it protects the ADC.

Link to comment
Share on other sites

3 hours ago, Sebastian Reichl1709156058 said:

Both articles have been updated. ?

 

Example to get MaxClients from httpd.conf and add it to rc.netscaler:

echo "nsapimgr_wr.sh -ys maxclientForHttpdInternalService=$(awk '/^MaxClients/{print $2}' /etc/httpd.conf)" >> /nsconfig/rc.netscaler

So, this command would do both? I saw that my httpd.conf file had value 30 in it. Is this the default? So what does maxclient do here? Just need some info as I am trying to understand.

Link to comment
Share on other sites

3 hours ago, John Francis1709160537 said:

So, this command would do both? I saw that my httpd.conf file had value 30 in it. Is this the default? So what does maxclient do here? Just need some info as I am trying to understand.

The command searches in httpd.conf for MaxClients parameter and puts the value in rc.netscaler. I used it to automate the change with ADM...

Yes, 30 seems to be the default value. "MaxClients" limits the Apache worker processes (i.e. client connections).

Link to comment
Share on other sites

I had two questions regarding the vulnerability update.

 

1)Where is a published article for SDX hosted ADCs?  There has to be more than "upgrade vpx" as a measure to address this VU.

 

2)From what I am seeing is there a way to do the VU without going to 13.1.x?  Many people are in the "advanced expressions" debacle and going to 13.1.x would break all of the custom/basic expressions.

 

Any input is appreciated.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...