Info: OpenSSL Heartbleed (CVE-2014-0160) issue doesn’t have an effect for Citrix Netscaler but..

Hello Folks,

all people talking about the OpenSSL Hearbeat/Heartbleed issue and how bad it is… Remembers me a little bit like the Sasser/MSBlast wave a couple of years ago.

heartbleed

At all, if you’re currently using Citrix Netscaler to protect your environment you should get a look at CTX140605.

In general the Citrix Netscaler is not affected by the Heartbleed issue but please note: This do not count for the internal Website running behind the Netscaler on your server by design, for example if you use Apache based Webserver, so in this case you should verify this and upgrade the Webserver. The Netscaler itself is safe at the moment, also the external access to websites hosted in your fabric should be save if the external connection run thru the Netscaler; primary risk are internal sites in your company where the Netscaler can/would be bypassed for internal access/users and if the affected OpenSSL Version 1.01 is used.

So the “but…” in the headline points to the fact that mostly attacks are coming from internal sources/users and here the Netscaler will not help you depending on your network setup if the OpenSSL Version 1.01 is used.

Iam quite sure a few web based companies are now feeling sad that they have not used the Netscaler in the past. 🙂

Cheers

Michael

P.S.: If you want to check your site visit http://filippo.io/Heartbleed/, if your site is “unsercure” you should to the following steps asap.

1) Upgrade your webserver to a secure OpenSSL Version
2) Change all used SSL certificates to new ones.
3) Notify all users to renew there passwords (force them)

There are already a lot articles covering this in more detail, so no more need to repeat this… I hope…

P.S.2: Details about the OpenSSL issue can be found here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160