Akhil Nair

Proactive actions are crucial in today's digital landscape to successfully combat evolving cyber threats. One such threat, CVE-2024-1709, has recently surfaced, targeting ConnectWise ScreenConnect versions 23.9.7 and earlier. This vulnerability poses a significant risk, potentially allowing attackers to bypass authentication using an alternate path or channel vulnerability. The Exploit Due to a particular .NET feature that processes additional URL path components beyond the legitimate one, attackers are able to bypass access restrictions and manipulate the setup wizard file on ScreenConnect instances that are already configured. This allowed them to grant elevated privileges or full administrator controls thus rewriting the existing user access database. Once they gain admin rights, attackers can upload malicious files or execute arbitrary codes on the system. In this blog post, we'll focus on how organizations can utilize NetScaler Web Application Firewall (WAF) signatures to effectively mitigate the risks associated with CVE-2024-1709. Leveraging Signature-based Protections NetScaler WAF provides a robust defense mechanism against CVE-2024-1709 and similar vulnerabilities through its extensive database of signatures. These signatures are meticulously crafted to identify and block known attack patterns associated with CVE-2024-1709, enabling organizations to fortify their defenses against emerging threats. Comprehensive Threat Intelligence: NetScaler WAF continuously updates its signature database with the latest threat intelligence feeds, ensuring organizations stay ahead of evolving cyber threats, including CVE-2024-1709. By leveraging up-to-date threat intelligence, NetScaler WAF can effectively detect and mitigate emerging vulnerabilities, enhancing overall security posture. From Unified Security Console: Navigate to the Unified security flow - From your NetScaler Console Service, navigate to Security > Security Dashboard Select your application from the ‘Unsecured Applications’ tab. If you’ve previously configured using the Unified Security flow, you’ll find your application under the ‘Secured Application’ tab and click on the edit icon. Select the ‘CVE Protections’ tile - Search for the CVE from the list of signatures and enable the same - From NetScaler ADC, ensure you’re running signature version 125 and - Search your signatures for ‘CVE-2024-1709’ LogString. Select the results. Choose “Enable Rules” and click OK. Real-time Detection and Mitigation: NetScaler WAF's signature-based protections operate in real-time, enabling organizations to swiftly detect and mitigate unauthorized access attempts associated with CVE-2024-1709. By analyzing web traffic against its signature database, NetScaler WAF can identify and block malicious activities before they compromise sensitive information or critical systems. Customization and Flexibility: NetScaler WAF allows organizations to customize signature-based protections based on their specific security requirements and risk profile. By tailoring signature-based rules and policies to their environment, organizations can effectively mitigate CVE-2024-1709 and other vulnerabilities while minimizing false positives and disruptions to legitimate traffic. CVE-2024-1709 highlights the importance of proactive cybersecurity measures in safeguarding organizational assets against emerging cyber threats. By leveraging NetScaler WAF signatures, organizations can effectively mitigate the risks associated with CVE-2024-1709 and enhance their overall security posture. With comprehensive threat intelligence, real-time detection, and customization capabilities, NetScaler WAF empowers organizations to defend against evolving cyber threats and protect their critical assets with confidence.

Pre-Requisite: Customers should have a Premium NetScaler License and ADM Service to enable API Gateway The rise of API-driven software has seen a corresponding rise in API-related security attacks. In the last few years, the industry has seen an increase in data breaches across companies of all shapes and sizes. Notable enterprises such as Venmo, Experian, and Peloton among others have all been victims of API attacks and data breaches. This has led to the exposure of millions of personally identifiable information (PII) records of their customers, costing millions in damages and fines. As organizations are realizing the critical need for effective API security in their overall security posture, Citrix API Gateway is one solution that’s ready to solve the challenge. 3 simple steps can enable organizations to protect their APIs by deploying them behind the Citrix API Gateway. They are as follows: Onboarding the API Deploying the API Enabling Policies Onboarding the API To onboard your API to the Citrix API Gateway, the first step is uploading the API specification. An API specification is a high-level blueprint of how your API works structurally. Although sometimes development teams may overlook creating an API specification, it is an incredibly important step in the end to have secure applications. The OpenAPI Specification (OAS), previously known as Swagger, is one such standard interface for RESTful API specifications, allowing APIs to be discovered and understood by both computers and humans. An OAS specification is represented as an object in a JSON or YAML file. No need to worry if you don’t have your API spec already created. You can create one manually inside the Citrix API Gateway. To begin, navigate to your instance of Citrix ADM and login. Once there, follow these steps. Go to the sidebar and click Security >> API Gateway >> API Definitions Click Add and either upload your OAS API specification file (if you have one) OR select Create Your Definition to create one manually Now that you’ve added your API spec, it’s time to deploy your API to the gateway. Deploying the API Go to the sidebar and click Security >> API Gateway >> Deployments Click Add and fill out the details under the Deployment Basic Info Give your deployment a name and select the target API gateway (NetScaler) from the drop-down menu. Select the relevant API definition and fill out details around IP address, port, certification, and so on Next, under Upstream Services, click Add to configure your Upstream API Services (aka your back end API service) Next, Under Routing, add routes for the API Upstream Services or back-end API services that you created. Routing for API Upstream Services adds details about API routing configuration for the API Gateway to route incoming API calls to the right back end service. Enabling Policies The next step in the deployment process is to create policies for the API Upstream Services or back end API services. Go to the sidebar and click Security >> API Gateway >> Policies Click Add. Fill out a name, select a deployment and choose the appropriate upstream service Next, click Add to create various types of policies against different API resources Some useful policies include rate-limiting, authorization, WAF, Bot, header rewrite, and deny. You can also create custom rules according to your business needs. Once complete with all policies, click Save and Apply. And that’s it. You’ve successfully onboarded your API to the Citrix API Gateway. This is one step that pays dividends in the end as your APIs and applications are now more secure. Not only this helps limit your attack surface, but it will also help you gain holistic visibility into your API ecosystem (via the API Analytics feature). This allows you to monitor API performance, discover shadow and leaky APIs, monitor endpoint activity, and gain various insights on your API deployments. With the added level of security, rest assured knowing that the Citrix API Gateway takes care of the tedious and keeps your applications much more secure.

Whether you’re developing a software program or building a website, you may often find yourself, either as a front-end or back-end developer, requiring an application programming interface (API). APIs are the protocols, routines, and utilities that work behind the curtain to facilitate communication among web and mobile apps, and they’ve completely changed how we use mobile and web apps. They’re the key integration point, and you can usually find an API for almost anything such as current local weather information, Netflix content, or Google search information. The global API management market is expected to grow from USD 1.2 billion in 2018 to USD 5.1 billion by 2023, at a compound annual growth rate 32.9 percent. The key drivers for that include increased demand for API-led connectivity and the need for public and private APIs to accelerate digital transformation. Three significant shifts in the industry have led to this amazing growth: Consumer shift from single-device to multi-device usage Architecture shift from monolithic devices to microservices Infrastructure shift from on-prem to cloud Along with these shifts in the industry have come ever-increasing complexity, lack of clear visibility into API access, and challenges in terms of new and increased levels of attacks on APIs. In this post, we will look at the NetScaler’s API security offering. We will also examine the security issues that shadow APIs can pose to organizations and how API discovery can help eliminate the security risks associated with shadow APIs. NetScaler API Security NetScaler API security offers comprehensive protection for your APIs so that you can secure your organization’s valuable app and data assets. Because our API security is built on top of NetScaler ADC, it delivers a level of performance and security built up over two decades. NetScaler API security front ends API services and acts as a gateway and single point to enforce security policies on the APIs. NetScaler API security works in conjunction with NetScaler Application Delivery Management (ADM) to provide insights into API performance and to help you make more informed decisions. The API gateway provides a single point of entry for API calls, and it helps you to configure, manage, and secure API endpoints. It can perform rate limiting, authentication and authorization, content routing, and additional tasks to ensure secure, reliable access to back-end services via your APIs. You can use NetScaler ADM to manage your API gateway, and NetScaler API security uses machine learning in NetScaler ADM to thwart cyberattacks like excessive data exposure (OWASP API-3) and attempted account takeovers. Shadow APIs and API Discovery Agile development processes help software teams to make smaller incremental changes to code at a rapid pace, and APIs enable DevOps to focus on accelerating the pace of innovation by continuously delivering new apps and APIs. However, this speed of innovation can create silos, especially in organizations in which multiple teams are involved. When those shadow APIs are created and/or deployed outside of an organization’s documented publication process, when specifications are not conformed to, or when older versions of APIs are not end-of-lifed properly, they can introduce potential security risks that can lead to data loss, fraud, or abuse. Shadow APIs or deprecated APIs may not be subject to an organization’s normal security policies, and they may transmit sensitive information or confidential PII data with no security oversight. Auto API discovery, inventory, and assessment of your APIs eliminate security risks associated with shadow APIs. NetScaler API Discovery and Analytics NetScaler API security learns about APIs by onboarding API definitions from an OAS file. OAS (OpenAPI Specification) is a community-driven open specification within the OpenAPI Initiative, a Linux Foundation Collaborative Project. OAS defines a standard, programming language-agnostic interface description for REST APIs. The ability to onboard APIs from an OAS file dramatically speeds up the configuration of your NetScaler API security functionality. What used to be a time-consuming, manual process is simplified and automated with NetScaler ADM. It will accept new API definitions from an OAS file and lets you configure your API gateway policies and then deploy them to NetScaler ADC in a matter of minutes, enabling you to deploy new apps securely and quickly. Follow these steps to create an API Definition in NetScaler ADM: Navigate to Applications → API Gateway → API Definitions. Click Add. To Create your definition using the API Specification file, click “Upload OAS Specification” to browse and upload the API specification (Swagger 2.0 or OpenAPI 3.0). This will parse and auto-populate the required information to create your API Definition. Alternatively, you can manually input the required API information, all resource paths, and the methods to create your API Definition manually. Select Create Your Definition and specify the following required API information to create your API definition manually: Name – A name for the API definition. API Definition – A definition must include title, version, base path, and host. You can specify a domain name or IP address in the Host. API Resources – Add multiple API resources to your definition. Each resource has a path and supported method. You can also select the required API endpoint to view its detailed analytics report. The detailed analytics report provides API endpoint performance and usage data such as response time, bandwidth consumption, geo locations from where the API endpoints were accessed, and HTTP response status of API endpoints. API analytics enables visibility into API traffic and allows IT administrators to monitor API instances and endpoints served by an API gateway.

Key Use Cases: Unified Application Security - A new config workflow that consolidates all WAF and Bot capabilities into a single pane of glass while abstracting the need to learn about how security works. End users will have access to templates such as OWASP Top-10 checks and CVE related checks. It is available in ADM Service and available in ADM on-prem starting from version 14.1 12.x Builds. WAF Recommendation Scanner on ADM on-prem - Available as part of the Unified Application Security workflow, users can now scan their external/internal web apps and the scanner will automatically suggest WAF checks based on the Web App’s underlying technology. Available in ADM on-prem starting from version 14.1 12.x Builds. API Security: API aware NetScaler as proxy - API Spec files can now be uploaded on ADCs directly to validate every endpoint and ensure that it conforms to the schema. Additionally, you can apply WAF or AAA policies and use PI expressions to apply security, authenticate endpoints or route API traffic Other use cases: Protect internal apps accessed via Gateway (SPA/Storefront) from malicious attacks - You can now protect all your applications that are behind the VPN virtual server by binding the Web App Firewall policy to the VPN virtual server. For example - A company hosts three critical applications (SAP, Workday, and Tally) behind a VPN virtual server. Create multiple profiles based on the required application. Configure the profile with the necessary security checks based on the application’s need. Add the app firewall policies that are applicable for each application and associate the policy with the profile. add appfw policy sap_policy true HTTP.REQ.URL.CONTAINS (“sap.com”) pr-basic1 add appfw policy workday_policy true HTTP.REQ.URL.CONTAINS (“workday.com”) pr-basic2 add appfw policy tally_policy true HTTP.REQ.URL.CONTAINS (“tally.com”) pr-basic3 Bind the created policy to VPN vserver Bot related expressions - You can now use bot related expressions in your policies for routing or taking a certain action on your traffic. For example - HTTP.REQ.BOT.IS_SUSPECTED - Returns true if the client is suspected as a BOT. HTTP.REQ.BOT.TYPE.EQ(<bot type>) - Returns true if the client BOT type is the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN. Security violations display OWASP tags - In the NetScaler Console GUI, the security violations now display OWASP tags. It supports the OWASP 2017 and OWASP 2021 lists and these tags help you determine whether the violation belongs to the OWASP top 10 list. Create or Update API definitions from discovered API endpoints - NetScaler admins can create or update an existing API Definition from the discovered API endpoints. This removes the need for admins to wait for API Schema file from the app owners/developers Proxy auth support for signatures and IP Reputation - In cases where NetScaler cannot connect to the internet directly or if the customer needs an added layer of security, one can configure a proxy server for retrieving latest WAF and Bot signatures and IP Reputation feeds. Custom keyword support for JSON payload - SQL injection and command injection have a predefined set of keywords or patterns that they look for in the incoming requests. However, if the end user wants to add additional keywords to reduce false positives, they can leverage this feature to add custom keywords of their choice. CLI/API support to enable WAF signatures - You can now enable individual signatures in your NetScaler Web App Firewall through CLI commands or API calls. For example: import appfw signature DEFAULT object_name -sigRuleId 1001 9882 2000 1250 810 -Enabled ON -Action LOG BLOCK import appfw signature DEFAULT object_name -sigCategory web-misc -Enabled ON -Action LOG BLOCK Configurable payload size for inspection - Post Body Limit (Bytes) - Limits the request payload (in bytes) inspected by Web Application Firewall. Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB