Timeline

Description

Various Citrix systems are susceptible to a remote Denial of Service condition via malformed traffic sent to nsconfigd, which by default listens on TCP port 3010. Parsing of the unexpected traffic causes the daemon to go into an infinite loop, after which it will be restarted by the pitboss system watchdog; after 6 restarts the system will reboot.

Impact

Attackers can remotely deny access to the system or resources reliant upon it, causing a permanent outage with repeated exploitation.

Interim Workaround

Deploy network-based access controls in front of the management interface; Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic.

Permanent Workaround

Deploy updated versions of the affected components. For a table listing supported versions, refer to https://support.citrix.com/article/CTX281474.