NetScaler WAF Signatures Update v113
NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, including three CISA published vulnerabilities, namely Ignite Realtime Openfire Path Traversal Vulnerability, Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability and Ivanti Sentry Authentication Bypass Vulnerability.
CVE-2023-32315 is a vulnerability found in the Openfire administrative console, a web-based application used for managing an XMPP server. This vulnerability allows an unauthenticated user to exploit the Openfire Setup Environment within an established Openfire configuration, accessing restricted pages reserved for administrative users. The vulnerability affects all versions of Openfire released since April 2015, starting with version 3.10.0. The Openfire community has patched this vulnerability in release 4.7.5 and 4.6.8, with further improvements planned for the upcoming 4.8.0 release. Users are advised to upgrade their Openfire installations to the latest patched versions.
CVE-2022-24086 is a vulnerability that affects Adobe Commerce versions 2.4.3-p1 and earlier, as well as 2.3.7-p2 and earlier. It is an improper input validation vulnerability that can be exploited during the checkout process. This vulnerability allows arbitrary code execution without requiring user interaction. The severity of this vulnerability is rated as CRITICAL with a CVSS score of 9.8. Adobe has released a security bulletin with more information and instructions on how to apply updates.
CVE-2023-38035 is an API authentication bypass vulnerability that affects Ivanti MobileIron Sentry versions 9.18.0 and below. This vulnerability allows unauthenticated attackers to access APIs configuring the Ivanti Sentry on the administrator portal/interface. The administrative interface is also known as the MobileIron Configuration Service (MICS) Admin Portal. By default, the MICS Admin Portal runs on port 84432. The severity of this vulnerability is rated as CRITICAL with a CVSS score of 9.8.
Signatures included in v113:
| Signature rule | CVE ID | Description |
| 998614 | CVE-2023-38035 | WEB-MISC Ivanti Sentry Up To 9.18.0 - Incorrect Authorization Vulnerability via /asproxy/services/ (CVE-2023-38035) |
| 998615 | CVE-2023-38035 | WEB-MISC Ivanti Sentry Up To 9.18.0 - Incorrect Authorization Vulnerability via /mics/services/ (CVE-2023-38035) |
| 998616 | CVE-2023-36846 | WEB-MISC Juniper JunOS SRX - Missing Authentication for Critical Function Vulnerability Via webauth_operation (CVE-2023-36846) |
| 998617 | CVE-2023-3486 | WEB-MISC PaperCut NG Prior to 22.1.3 - Unrestricted File Upload Vulnerability (CVE-2023-3486) |
| 998618 | CVE-2023-34468, CVE-2023-40037 | WEB-MISC Apache NiFi Multiple Versions - Command Injection Vulnerability (CVE-2023-34468, CVE-2023-40037) |
| 998619 | CVE-2023-33653 | WEB-MISC Sitecore - Remote Code Execution Vulnerability (CVE-2023-33653) |
| 998620 | CVE-2023-33224, CVE-2023-23843 | WEB-MISC SolarWinds Orion Platform Prior to 2023.3 - Remote Code Execution Vulnerability (CVE-2023-33224, CVE-2023-23843) |
| 998621 | CVE-2023-32566 | WEB-MISC Ivanti Avalanche - SecureFilter Authentication Bypass Vulnerability (CVE-2023-32566) |
| 998622 | CVE-2023-32562 | WEB-MISC Ivanti Avalanche Prior to 6.4.1 - Unrestricted File Upload Vulnerability (CVE-2023-32562) |
| 998623 | CVE-2023-32315 | WEB-MISC Ignite Realtime Openfire - Path Traversal Vulnerability (CVE-2023-32315) |
| 998624 | CVE-2023-28128 | WEB-MISC Ivanti Avalanche Prior to 6.4.0 - Unrestricted Upload Vulnerability (CVE-2023-28128) |
| 998625 | CVE-2023-27066 | WEB-MISC Sitecore Up To 10.2 - Path Traversal Vulnerability (CVE-2023-27066) |
| 998626 | CVE-2022-23333 | WEB-MISC Contec SolarView Compact Prior to 7.21 - OS Command Injection Vulnerability (CVE-2022-23333) |
| 998627 | CVE-2022-37044 | WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via onload (CVE-2022-37044) |
| 998628 | CVE-2022-37044 | WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via extra (CVE-2022-37044) |
| 998629 | CVE-2022-37044 | WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via title (CVE-2022-37044) |
| 998630 | CVE-2022-24086 | WEB-MISC Adobe Magento - Arbitrary Code Execution Vulnerability Via wishlist (CVE-2022-24086) |
| 998631 | CVE-2022-24086 | WEB-MISC Adobe Magento - Arbitrary Code Execution Vulnerability via checkout (CVE-2022-24086) |
| 17279 | CVE-2005-1939 | WEB-MISC Ipswitch WhatsUp Small Business directory traversal attempt |
NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 113 or later and then follow these steps.
- Search your signatures for <number>
- Select the results with ID
- Choose “Enable Rules” and click OK
NetScaler WAF Best Practices
NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
Handling false positives
If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
Modifications to NetScaler Web App Firewall Policy:
add policy patset exception_list
# (Example: bind policy patset exception_list “/exception_url”)
Prepend the existing WAF policy with:
HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
# (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
NOTE: Any endpoint covered by the exception_list may expose those assets to risks
Additional Information
NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now