Attention to vulnerability in Citrix NetScaler(CTX276688)
Thank you for using NTT Communications Enterprise Cloud (ECL) service.
A vulnerability (CTX276688) has been confirmed in NetScaler of Citrix, which is provided by the load balancer (NetScaler VPX) menu of Enterprise Cloud 2.0 (hereinafter, ECL2.0). Customers using the Load Balancer (NetScaler VPX) menu are advised to check the latest information on vulnerabilities and take necessary actions.
Load Balancer (NetScaler VPX)
- Please verify that access to the management interface (SNIP) is allowed only from a secure environment. The NetScaler settings can be supported by the following:
If necessary, we recommend
(1-1) disabling management communication on unnecessary management interfaces and
(1-2) restricting IP addresses that can be accessed only by the necessary management interfaces.
Please note that if you disable management communication on all management interfaces, you will not be able to log in to NetScaler.
1-1. Disabling management communication to the management interface (SNIP)
* Communication to the IP address (VIP) that the load balancer accepts from clients is not applicable.
* Please set up NetScaler from a secure environment such as an internal network.
1-2. Restricting the IP addresses access to the management interface (SNIP)
- In addition to the above, if you are using Citrix (formerly NetScaler) Gateway in 12.0-53.13_Standard_Edition, please migrate to 12.1-55.18_Standard_Edition by referring to the procedure here or stop using the corresponding function. Please check the following for the procedure to confirm whether or not you are using Citrix Gateway and to cancel the use. How to access the GUI/CLI is described here.
If you click “System>Setting>Configure Basic Features” on the dashboard and the checkbox of “Citrix/NetScaler Gateway” is checked, the function is enabled. You can disable by removing the check.
In case SSL VPN is ON after entering the following command, the function is enabled.
>show ns feature
If it is ON, you can disable by entering the following command.
>disable ns feature sslvpn