Symptoms or Error
PCI Security vulnerability scanners reports that NetScaler-hosted virtual servers using CookieInsert persistence are vulnerable due to not having the Secure flag set on the NSC_ persistence cookie even though the useSecuredPersistenceCookie option is enabled on the virtual servers.
Example CVEs: CVE-2004-0462, CVE-2008-3663, CVE-2008-3662, CVE-2008-0128
Qualys QID: 150122
Solution
This vulnerability alert is a false positive, provided that the NetScaler is configured with the useSecuredPersistenceCookie option, in conjunction with a reasonably complex cookiePassphrase.
Additionally, Cookie Persistence cookies (which, by default, start with NSC_ ) do not contain any session-identifiable or authentication information. They only instruct the NetScaler on which backend server the connection is persistent to, meaning that the cookie cannot be used to spoof a connection or user.
Note: Prior to NetScaler 10.5 build 55.8, the useSecuredPersistenceCookie option was unavailable. On these builds, it is recommended to upgrade or to at a minimum utilize the SSL protocol with any virtual servers that use Cookie Insert persistence.
Problem Cause
- Vulnerability scans report on the Secure flag of cookies, which signals the browser to not serve the cookie unless the connection is SSL-encrypted. ??The vulnerability scan does not identify applications that use proprietary encryption to protect the contents of the cookie.
- useSecuredPersistenceCookie option instructs the NetScaler to use proprietary encryption (using supplied passphrase) to encrypt cookie contents, which is a different modality than the vulnerability scans check for.
Additional Resources
- Simplified definition of cookie Secure flag: https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie
- Related RFC: http://tools.ietf.org/html/rfc6265#page-21 (section 4.1.2.5)
- Documentation on Cookie Persistence and the useSecuredPersistenceCookie option: http://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-persistence/http-cookie-persistence.html
Disclaimer
Supporto Citrix
Traduzione automatica
Questo articolo ??¨ stato tradotto da un sistema di traduzione automatica e non ??¨ stata valutata da persone. Citrix fornisce traduzione automatica per aumentare l'accesso per supportare contenuti; tuttavia, articoli automaticamente tradotte possono possono contenere degli errori. Citrix non ??¨ responsabile di incongruenze, errori o danni derivanti dell'uso di articoli automaticamente tradotte.
Citrix技術支持
自動翻譯
這篇文章被翻譯由一個自動翻譯系統,並沒有受到人們的審查。 Citrix提供自動翻譯,增加獲得支持的內容;但是,自動翻譯的文章可能可以包含錯誤。思傑不負責不一致,錯誤或損壞因使用自動翻譯的文章的結果。
Поддержка Citrix
Tradução automática
Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.
시트릭스 지원
자동 번역
이 문서 자동 번역 시스템에 의해 번역 된 사람들에 의해 검토되지 않았다. 시트릭스는 컨텐츠를 지원하기 위해 접근을 높이기 위해 자동 번역을 제공합니다; 그러나, 자동으로 번역 기사 오류를 포함 할 수있다. 시트릭스는 자동으로 번역 된 기사의 사용의 결과로 발생하는 불일치, 오류 또는 손해에 대해 책임을지지 않습니다.