CVE-2017-17549

Current Description

Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 allow remote attackers to obtain sensitive information from the backend client TLS handshake by leveraging use of TLS with Client Certificates and a Diffie-Hellman Ephemeral (DHE) key exchange.

Basic Data

PublishedDecember 13, 2017
Last ModifiedJanuary 05, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-200
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityHIGH
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score5.9
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.2
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCitrixApplication Delivery Controller Firmware10.5*******
    2.3OSCitrixApplication Delivery Controller Firmware11.0*******
    2.3OSCitrixApplication Delivery Controller Firmware11.1*******
    2.3OSCitrixApplication Delivery Controller Firmware12.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCitrixNetscaler Gateway Firmware10.5*******
    2.3OSCitrixNetscaler Gateway Firmware11.0*******
    2.3OSCitrixNetscaler Gateway Firmware11.1*******
    2.3OSCitrixNetscaler Gateway Firmware12.0*******

Vulnerable Software List

VendorProductVersions
Citrix Application Delivery Controller Firmware 10.5, 11.0, 11.1, 12.0
Citrix Netscaler Gateway Firmware 10.5, 11.0, 11.1, 12.0

References

NameSourceURLTags
102177http://www.securityfocus.com/bid/102177BIDThird Party Advisory VDB Entry
1040011http://www.securitytracker.com/id/1040011SECTRACKThird Party Advisory VDB Entry
https://support.citrix.com/article/ctx230612https://support.citrix.com/article/ctx230612CONFIRMVendor Advisory