last update: 09/23/2019
I face lack of disk space since I upgraded to Citrix ADC 13.0 (“Citrix NetScaler 13.0”) built 13.0 built 36.27. Symptoms: It’s not possible to log on any more, using external authentication. Logging is stopped due to /var being out of disk space. Citrix ADC does not work fine any more. In addition it may lead to a reboot, unsaved configuration may get lost because of this.
I had been investigating this issue. There had not been any dumps in /var/crash, but plenty of them can be found in /var/core/\d{1,3} directory. Some guys told me to start from the scratch, to avoid issues like that, but it didn’t make any difference. NetScaler 13.0 built 36.27 does not seem to be stable.
I recently uploaded some of them to cis.citrix.com. Result: No issues detected. Way to go, Citrix! This is an issue. A big one!
Dirk Bautz recently brought up a Citrix Forum thread about this subject. It seems to be a major issue. It’s not just a simple issue about “something crashing every now and then”, but instead a reproduce-able issue, allowing an attacker to DOS a website protected by Citrix ADC 13. The attack is quite easy: Send requests, not containing host headers, and get redirected to SSL. This will crash the Citrix ADC and, at the same time, create a core dump. Citrix ADC won’t function correctly as soon as /var is full, so the DOS attack would be successful.
I investigated further: This may lead to a malfunctioning WAF, so it IS a security issue!
The appliance did not stabilize after down-dating to 12.1 built 53:12. I will now try updating to 13 built 41.20 (released September 16th)
take a look at https://discussions.citrix.com/topic/403644-citrix-adc-core-dumps-when-http-request-withoutempty-hostname-hits-80-443-redirect-policy/
Thanks, Dirk. I hope they’ll fix this issue soon. It’s a major issue! Your blog means nothing but: It’s easy to DOS a Citrix ADC 13 36.27? I just have to send several requests like that and fill up the hard-disk of these ADCs, and that’s it?