Netscaler Citrix Gateway / AAA vserver Password Spray

[GeorgeD]

Is anyone else having trouble with password sprays against their netscaler aaa vserver? 

we have a nfactor flow for ldap and mfa. we recently tested out bot management, but apparently that doesn't cover the AAA vserver. 

 

i found that a simple powershell web request to 

Invoke-WebRequest -Uri https://yourDomain.com/nf/auth/doAuthentication.do -Body "login=myUserName&passwd=fdsfdfdfd&saveCredentials=false&loginBtn=Log+On&StateContext=bG9naW5zY2hlbWE9" -Method Post -ContentType "application/x-www-form-urlencoded"

 

could easily lock out accounts on our system, we setup ldap filters etc, but still haven't found a great solution for slow password sprays rolling across multiple IPs. 

 

any help here would be greatly appreciated. 

we got a few suggestions from citrix and consultants to move the mfa factor up in nfactor flow. but that would likely be more annoying to users to have the pop up appear on their phones.

i also haven't tested it but i'm not sure if the url above aaa vserver even considers nfactor flow, which means that anything nfactor related wouldnt solve for this. 

 

[Emil Pandocchi]

On 1/28/2024 at 8:01 PM, George David1709152738 said:

we recently tested out bot management, but apparently that doesn't cover the AAA vserver. 

Can you elaborate on this? BOT Management should analyze things like the User-Agent Header in requests and if globally bounded it should work for every Web-Based vServer

[GeorgeD]

according to citrix support because AAA Parsing happens before the Bot Management and any other feature, the AAA Vserver is not protected by any of those modules 

https://docs.netscaler.com/en-us/citrix-adc/13-1/getting-started-with-citrix-adc.html#packet-flow

[GeorgeD]

i've tested with a few different loginschema options. i can't get the direct script post to /nf/auth/doAuthentication.do to be protected. 

it looks like most of the protections are within the pages logic, not against "/nf/auth/doAuthentication.do", so regardless it will be easy for any script to use this public endpoint and just attempt a username / password. 

 

my last test was using the default user/password/checkbox option on the netscaler. 

right now citrix support is saying that only an ACL will protect against this, but still trying to find more information 

[GeorgeD]

@Hemang Raval saw your recent demo tomorrow about netscaler gateway server security. have a scenario here that could use some attention. 

I've filed a case with the citrix PSIRT team and waiting on an answer regarding the gap in nfactor here. 

Edited April 10 by GeorgeD

[Morten Kallesøe]

Yes, i am currently looking into implementing a similar feature that you are describing, and i dont think it will be possible before the next release of NetScaler (14.1 21.x and 13.1 52.x) as they will contain a WAF module that's loaded BEFORE aaa vServer.

but since the new protection is happening in WAF, you properly need premium license, and the creativity also needs to be flexed to create proper policies. We will see when the new release hits the street.