Recently, there was a new patch released for a vulnerability on the Citrix ADCs (formerly called NetScaler). While not as bad as the one we all enjoyed in January of 2020, there were a couple of security items that are worth looking in to. It is rated at a medium vulnerability.
The first remediated a network denial of service attack from the same Layer 2 Network Segment. This one could cause uncontrolled resource consumption, but the attacker must be on the same Layer 2 network segment as the vulnerable appliance. So, quick firmware download and your covered from an unlikely attack.
The second involved a Security Assertion Markup Language (SAML) authentication hijack through a phishing attack to steal a valid user session. This is still a complicated attack, but it is a lot more likely. It does require that your ADC be either a SAML Service Provider (SP) or Identity Provider (idP). You can view the authentication section in your ADC to see if this is the case. Navigate to Security, AAA-Application Traffic, Policies, Authentication. There you will be looking for entries in the Authentication SAML Policy, Authentication SAML Server, Authentication SAML IDP Policy, or Authentication SAML IDP Profile sections. If yours says “No” at the start of all of them like in this graphic, no further action is required.
What if I am using SAML?
Citrix has created a KB Article regarding what commands are required and they give an example if the Gateway is acting as the SP or IDP what commands to use. One of the most popular uses of SAML on ADCs is to utilize Active Directory to authenticate users of Content Collaboration (Formerly called ShareFile). The instructions in the Citrix KB Article do not show the correct commands for Content Collaboration, nor has the How To article added the command required so you can find it there. One of my customers needed to have the commands entered and after failing to properly enter them myself, a trouble ticket was logged and the correct command created. My hope is that users can use this article instead of having to open a ticket until Citrix updates the How To and creates an article themselves.
The SP portion follows the KB article fine. Relay state website is obvious and the command is easy. For the idP profile rule however, it is a bit more difficult. It will require some investigating and data collecting on your part. The following walk through should show you what you need to know to create the right rule.
First, you will need to ensure that the SAML developer tools extension has been added to your browser. In Chrome that extension can be found here. For Firefox, here. The screen shots I will show will be for Chrome. Navigate the the login screen (https://companyname.sharefile.com). Then, launch the Developer tools by using the three buttons, More tools, developer tools or by pressing F12. Select the SAML menu and check the box for “Show only SAML”.
Then, return to the login page and click the Company Employee Sign In button
Once you have done that, you will see the POST Method populated. By selecting it and choosing SAML in the right window, you will see the portions you will need for the command.
Configuring the ADC
The AssertionConsumerServiceURL and the idpentityid are both required for the correct command. You can enter the command through the GUI by editing the SAML IDP Profile and adding the following to the Assertion Consumer Service Url Rule
aaa.login.saml_req_acs_url.EQ("https://<customername>.sharefile.com/saml/acs?idpentityid=https://<FQDNofStorageZone>")Where <customername> will reflect the sharefile.com subdomain and <FQDNofStorageZone> is what is listed after “idpentityid=” in the assertion POST. For example aaa.login.saml_req_acs_url.EQ(“https://xirtic.sharefile.com/saml/acs?idpentityid=https://storagezone.xirtic.com”)
Command Line option
You can also add the command if you prefer from the CLI by entering “show samlidPProfile” to see the list of profiles and then using “set samlidPProfile <idpprofilename> -acsUrlRule aaa.login.saml_req_acs_url.EQ(“https://<customername>.sharefile.com/saml/acs?idpentityid=https://<FQDNofStorageZone>”) replacing the <customername> and <FQDNofStorageZone> like demonstrated in the GUI portion.
If the command is incorrect, SAML will return an error instead of the login screen, and you can remove the rule to roll back to where you were before.
That should get you what you need for Content Collaboration. It also might point you in the right direction to find what you need to enter for other SAML idP profiles.