Citrix ADC 13.0: crash dumps filling up /var directory

C

last update: 09/23/2019

I face lack of disk space since I upgraded to Citrix ADC 13.0 (“Citrix NetScaler 13.0”) built 13.0 built 36.27. Symptoms: It’s not possible to log on any more, using external authentication. Logging is stopped due to /var being out of disk space. Citrix ADC does not work fine any more. In addition it may lead to a reboot, unsaved configuration may get lost because of this.

I had been investigating this issue. There had not been any dumps in /var/crash, but plenty of them can be found in /var/core/\d{1,3} directory. Some guys told me to start from the scratch, to avoid issues like that, but it didn’t make any difference. NetScaler 13.0 built 36.27 does not seem to be stable.

I recently uploaded some of them to cis.citrix.com. Result: No issues detected. Way to go, Citrix! This is an issue. A big one!

Dirk Bautz recently brought up a Citrix Forum thread about this subject. It seems to be a major issue. It’s not just a simple issue about “something crashing every now and then”, but instead a reproduce-able issue, allowing an attacker to DOS a website protected by Citrix ADC 13. The attack is quite easy: Send requests, not containing host headers, and get redirected to SSL. This will crash the Citrix ADC and, at the same time, create a core dump. Citrix ADC won’t function correctly as soon as /var is full, so the DOS attack would be successful.

I investigated further: This may lead to a malfunctioning WAF, so it IS a security issue!

The appliance did not stabilize after down-dating to 12.1 built 53:12. I will now try updating to 13 built 41.20 (released September 16th)

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security.

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

2 comments

Leave a Reply to Johannes Norz Cancel reply

Recent Posts

Recent Comments