Netscaler vs CVE-2014-0160 (Heartbleed) OpenSSL vulnerability

Yesterday a lot of attention was created about the latest OpenSSL vulnerability (CVE-2014-0160). This vulnerability exposes a lot of SSL implementations to a great risk because OpenSSL is a very popular SSL implementation and used in a great range of Unix/Linux based application and appliances.

Being very busy with Citrix Netscaler lately I immediately recognized the great potential risk of this vulnerability because Netscaler Firmware also uses this OpenSSL implementation. So I investigated this risk based on my own up-to-date netscaler firmware (124.13) to find out if this firmware version and possible older versions are vulnerable to this  CVE-2014-0160 (Heartbleed) bug.

  • 1st test I did was browsing to a site that checks your site for this specific vulnerability  http://filippo.io/Heartbleed the result of the test was not very conclusive “write tcp xxx.xxx.xxx.xxx:443: broken pipe”

After this check I wondered which versions of OpenSSL are affected by this vulnerability according to OpenSSL.org own site the vulnerability exists in versions: 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

So my immediately I logged in to Netscaler’s SSH console and entered the following commands:

  •  > shell
  • # openssl version

This command resulted in the OpenSSL response: “OpenSSL 0.9.7e-p1 25 Oct 2004”

So i’m very glad to see that the latest version of Netscaler’s  firmware 124.13 does not contain this vulnerability. However I’m shocked by the ancient version of OpenSSL (release date 25 Oct 2004!!!!) that is used by this latest Netscaler firmware. There is a whole list of vulnerabilities that have been repaired since.

Update 1 09-042014 : Citrix’s security team seams to confirm that Netscaler is not at risk. A public statement has not yet been released.

Update 2 09-042014 : Citrix now officially announces Citrix Netscaler/Access Gateway/StoreFront products are NOT vulnerable to CVE-2014-0160 the Citrix support document can be found here

2 Comments to “Netscaler vs CVE-2014-0160 (Heartbleed) OpenSSL vulnerability”

  1. cyclops3590 10 April 2014 at 17:31 #

    Btw, netscalers don’t use that openssl from what they’re telling me. They have a custom SSL engine that is used which is why it doesn’t have this vulnerability; it’s a forked version.

  2. Leon van Efferen 11 April 2014 at 11:24 #

    I’ve heard so as well but I cannot seem to get the confirmation from Citrix.


Leave a Reply