in NetScaler, Platforms, Security

ShellShock and NetScaler

1-oct-2014 – Updated with new Responder Policy to block ShellShock based on traffic pattern
28-oct-2014 – Updated with new NetScaler version with Bash Fix

This week it happened again, after HeartBleed a couple of months ago another major security hole popped-up; ShellShock or CVE-2014-6271. In this article I will discuss the bug in general, and the impact on NetScaler.

This is not an official Citrix response and all the information on this blog is “as is”. Test everything your self and monitor the official Citrix advisories for up to date information.


This vulnerability allows remote Bash code execution. the NIST stated the following

  • Impact: 10
  • Exploitability: 10
  • Access Vector: Network exploitable
  • Access Complexity: Low
  • Authentication: Not required to exploit
  • Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

That should ring enough bells to get peoples attention. The highest score a vulnerability can get.


The issue is that some shells handle variables incorrectly. This allows attackers to remotely execute commands. There are several extensive write-ups done by very smart and security conscious people on this topic, for example this one, so let’s not do that again.

Also it looks like most Linux / BSD and OSX operating systems are more or less vulnerable, and have been vulnerable for a LONG time. That means that most Linux / BSD and OSX system out there can be attacked. That includes many web server systems running Linux but also many embedded systems like firmware on routers, access points, camera’s, etc.

A initial fix that was released for CVE-2014-6271 appears to be insufficient and a new CVE has been created to track this; CVE-2014-7169.

Local Test

You can test the exploit locally on your system by running:

If your systems is vulnerable (like my MacBook) you get the result:

If the system is not vulnerable (at current insights into this!) you would get the following result:

Remote Test

You can test your systems for the exploit remotely by creating the scripts manually as described on this site, or this site, or run one of the many test sites out there (but remember that there is no official test and who gets the result if you are vulnerable?).  Some sites that pop-up in google:

NetScaler and ShellShock

Let’s first start with the official Citrix release as this is the resource that is constantly updated with the latest information from the source. Citrix has created CTX200217 for this.

The official Citrix Response is the resource that will get updated regularly.

At the moment of writing this (27th sept) the main NetScaler traffic path does not seem to be impacted.

The management interface might be affected, so make sure (as in line with the best practices) to not have any public facing management ports open. It looks like BSD version is vulnerable but cannot be remotely attacked.

Citrix has released new NetScaler releases that have fixed the issue as a “defence in depth” measurement. The versions are:

  • NetScaler Release 10.5-52.11
  • NetScaler Release 10.1-129.11
  • NetScaler Release 9.3-67.5
  • SDX Release 10.5 Build 52.11r1 Bundle

As most of you know a NetScaler consists of two parts, a BSD kernel and a NetScaler kernel. The BSD kernel is used for management and file access, where the NetScaler kernel does the heavy lifting and intelligent network work. This might explain why one might be affected where the other does not look like it is.

Additional measures

You can implement additional measures on the NetScaler to protect the system and the servers behind it. As for most environments NetScalers is at the gate this is an ideal place for countermeasures.

  • Make sure management interfaces are not publicly accessible.
  • If you run AppFirewall, make sure to implement the Official AppFirewall update Citrix released to counter ShellShock (requires MyCitrix login)
  • Create custom responder and logging policies to drop traffic matching the ShellShock traffic pattern. Please read below.

Responder against ShellShock

On this Citrix Forum post Eric Julien posted a Responder Policy that can drop traffic matching ShellShock traffic (or at least one the the patterns we see ShellShock traffic currently). This command is later updated by Bino Gopal (30 sept) from Citrix with the following that should block all ShellShock traffic:

please note that this responder policy will analyse most of the HTTP header and body against a Regular Expression. This is a costly process and will increase the load on your system!

Please note 2 that this policy is NOT validated by Citrix nor has it been tested extensively. Use at your own risc.




What do you think?