NetScaler WAF Signatures Update v112

NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, with two 9.8 (Critical) CVSS v3 among them, namely CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability and  CVE-2023-32563 Ivanti Avalanche.   

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server. This vulnerability allows authenticated attackers to escalate their privileges by exploiting certain misconfigurations in the affected Microsoft SharePoint Server versions. Microsoft has released a security update that resolves this vulnerability, along with other vulnerabilities such as a denial of service vulnerability and a spoofing vulnerability. The security update is available for SharePoint Server 2019 Language Pack and can be obtained through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center.

Ivanti Avalanche is an enterprise mobile device management solution, and CVE-2023-32563 is a directory traversal flaw that has been identified in Ivanti Avalanche. This vulnerability could allow remote code execution and is rated as critical. Ivanti has released a security update that addresses this vulnerability, along with other vulnerabilities such as a stack-based buffer overflow vulnerability, multiple remote code execution vulnerabilities, and multiple authentication bypass vulnerabilities. The security update is available for Avalanche 6.4.1 and older versions and can be obtained through the Ivanti website.

 Signatures included in v112:

NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.

If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 112 or later and then follow these steps.

1. Search your signatures for <number>
2. Select the results with ID 
3. Choose “Enable Rules” and click OK

NetScaler WAF Best Practices

NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.

Handling false positives

If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.

Modifications to NetScaler Web App Firewall Policy:

add policy patset exception_list

# (Example: bind policy patset exception_list “/exception_url”) 

Prepend the existing WAF policy with:

HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT

# (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

NOTE: Any endpoint covered by the exception_list may expose those assets to risks 

Additional Information

NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.

Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.

Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.