CVE-2017-5933 — Sensitive Information Exposure in Citrix Netscaler Application Delivery Controller Firmware

CWE-200 — Sensitive Information Exposure8 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.9%

top 23.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Citrix Netscaler Application Delivery Controller Firmware IBM Client Application Access IBM Domino +9 more

Timeline

PublishedFeb 8

Latest updateNov 1

Description

Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE-2016-0270.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages12 packages

▶citrixcitrix/netscaler_gateway

▶citrixcitrix/netscaler_adc_gateway

▶NVDcitrix/netscaler_application_delivery_controller_firmware10.5.65.11+2

▶citrixcitrix/netscaler_adc

▶citrixcitrix/xenserver

🔴Vulnerability Details

GHSA

GHSA-5c4h-j88c-ggfr: Citrix NetScaler ADC and NetScaler Gateway 10↗2022-05-17

▶

GHSA

GHSA-vxq9-8hgp-5mw5: IBM Domino 9↗2022-05-17

▶

📋Vendor Advisories

Citrix

CVE-2016-0270: IBM Domino 9.0.1 Fix Pack 3 Interim Fix 2 through 9.0.1 Fix Pack 5 Interim Fix 1, when using TLS and AES GCM, uses random nonce generation, which make↗2017-02-08

▶

Citrix

CVE-2017-5933: Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM↗2017-02-08

▶

Citrix

Citrix Security Bulletin CTX220329↗

▶

📄Research Papers

RFC

Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)↗2022-11-01

▶