Is your Citrix Netscaler vulnerable to the FREAK Attack?

Man in the MiddleI have heard this asked before and thought it would make a good post to get some information out.

The FREAK (Factoring RSA Export Keys) attack is the latest threat to exploit vulnerabilities in the OpenSSL libraries. You might remember the HeartBleed bug from last year.

FREAK (formally known as CVE-2015-0204) affects versions of OpenSSL prior to 1.0.1i (released January 15, 2015).  It’s a man in the middle type of attack and affects a lot of different devices.  The official description is here and a good editorialized version here.

I searched and searched but couldn’t really find anything official from Citrix on the KBs.  I did run across an old Citrix Forum post related to the Heartbleed bug that stated Netscalers do not use OpenSSL on the internet facing side and therefore would not be affected by internet based OpenSSL attacks.  They actually use an internal SSL stack that they privately test against any known SSL threats.  OpenSSL is only used for connections to the management side.  The information is from a Netscaler Product Manager and can be found here.

It’s a good bet that Citrix engineers are busy testing the internal code stack against the new CVE-2015-0204 vulnerability. Once complete, I am sure will release a KB article like they did with Heartbleed but until then, this will have to do. :)