Mitigate Vulnerabilities in Citrix Netscaler & Storefront – Penetration test

I thought i’ll do a small write up of mitigating vulnerabilities in Citrix Netscaler & Storefront  found during penetration test. This may not consist the complete list, however it’ll help to address few.

  • There are vulnerabilities in SSL v3.0 and TLS  v1.0. POODLE attack & BEAST attack which are shown in CVE’s CVE-2011-3389, CVE-2014-3566. To disable SSL v3.0 & TLS v1.0

Create a dword “Enabled” under below paths and assign value to 0. Ofcourse reboot.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server

If you’re still using SF version less than 3.5, this will impact as TLS1.2 is not supported. So upgrade your storefront to latest.

  • Ciphered service support use of RC4 ciphers as part of it’s cipher suites. Covered in CVE’s CVE-2013-2566, CVE-2015-2808. To reconfigure ciphered service to avoid use of RC4 ciphers do as below

Create dword “Enabled” under below path and assign value to 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

  • IIS in storefront servers leak server information in it’s HTTP responses. I use URLREWRITE option to remove unwante response headers.

Typically we have 3 response headers which mostly to be removed for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is “powered by ASP.NET.”
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Go to the site where the change has to be applied, select URL Rewrite > Add Rules > Outbound Rules > Blank rule


Give it a name, Matching scope, Variable name & pattern


Select action type as Rewrite


It’ll be the same for other 2 rules aswell, except the variable name will be different and use a name of your like.Other settings will remain the same as above

For X-Powered-By rule use the variable as RESPONSE_X-POWERED-BY

For X-AspNet-Version rule use the variable as RESPONSE_X-ASPNET-VERSION

You should have 3 outbound rules as below


  • Onto Netscaler, few critical things as disable SSLv3/TLSv1.0, Enable secure access only for management, create custom cipher groups with only needed ciphers, configure NTP service not to listen to monlist(CVE-2013-5211)

Disable SSLv3.0/TLSv1.0 on the LB vServers & Gateway vServers. I had few issues disabling TLSv1.0 in a ICA proxy deployment, didn’t check it further.

Enable “Secure access only” access for management. Detailed steps in 

Create a custom cipher group and bind it to the vServers, I’ll not detail the process; however the ciphers as below


Configure NTP service not to respond to monlist query

  • Edit the file /flash/nsconfig/ntp.conf >  add restrict default noquery > Save & Exit
  • Identify and kill the ntp process (ps -aux |grep “ntp” & kill <PID>)
  • Start NTPD (/usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf)
  • Verify monlist



Hope it was helpful, comments are welcome.