After the publicity of the latest OpenSSL vulnerability CVE-2014-0160 (aka Heartbleed). I’ve investigated if Netscaler’s firmware was vulnerable to this vulnerability. Soon I found out that Netscaler’s software is NOT vulnerable. But during my investigation I noticed that the OpenSSL implementation is very old (2004). This raised some questions like:
- Why this old version is still actively used by Netscaler firmware?
- Is OpenSSL used for SSL Authentication?
- Is this version subject to all vulnerabilities that where discovered since 2004?
After some discussions on Citrix Forums, finally today a conclusive statement was given by Citrix Netscaler product manager Steve Shah.
Starting with the most important detail: NetScaler is NOT vulnerable to CVE-2014-0160. We have an up to date set of information at http://support.citrix.com/article/CTX140605
There seems to be some confusion around our SSL implementation and our patch strategy as well.
The NetScaler has two halves: the Internet-facing front half which uses our own SSL stack and is not vulnerable to OpenSSL. Our SSL stack is not OpenSSL. The second half is the management half which does use OpenSSL.
We validate our internal SSL stack against all SSL vulnerabilities posted against all SSL stacks out there.
For our OpenSSL implementation, we keep it patched for all the latest security issues, but not for the latest features. This is done to mitigate risk and maintain a stable code base where possible. Because the features do not change, we leave the version number of OpenSSL alone (openssl version) so that components that look at the version number to determine which API to use behave themselves.
We use this strategy across all of the relevant opensource we use, including OpenSSH. This leads to false positives from some security scanners that only use the version number to determine if a stack is vulnerable.
Leave a Reply