Citrix ADC 13.0: crash dumps filling up /var directory

C

last update: 09/23/2019

I face lack of disk space since I upgraded to Citrix ADC 13.0 (“Citrix NetScaler 13.0”) built 13.0 built 36.27. Symptoms: It’s not possible to log on any more, using external authentication. Logging is stopped due to /var being out of disk space. Citrix ADC does not work fine any more. In addition it may lead to a reboot, unsaved configuration may get lost because of this.

I had been investigating this issue. There had not been any dumps in /var/crash, but plenty of them can be found in /var/core/\d{1,3} directory. Some guys told me to start from the scratch, to avoid issues like that, but it didn’t make any difference. NetScaler 13.0 built 36.27 does not seem to be stable.

I recently uploaded some of them to cis.citrix.com. Result: No issues detected. Way to go, Citrix! This is an issue. A big one!

Dirk Bautz recently brought up a Citrix Forum thread about this subject. It seems to be a major issue. It’s not just a simple issue about “something crashing every now and then”, but instead a reproduce-able issue, allowing an attacker to DOS a website protected by Citrix ADC 13. The attack is quite easy: Send requests, not containing host headers, and get redirected to SSL. This will crash the Citrix ADC and, at the same time, create a core dump. Citrix ADC won’t function correctly as soon as /var is full, so the DOS attack would be successful.

I investigated further: This may lead to a malfunctioning WAF, so it IS a security issue!

The appliance did not stabilize after down-dating to 12.1 built 53:12. I will now try updating to 13 built 41.20 (released September 16th)

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

2 comments

Leave a Reply to dirk Cancel reply

Recent Posts

Recent Comments