Citrix NetScaler ADC and NetScaler Gateway Authenticated Scans

I wanted to see if anyone had any knowledge or experience performing authenticated scans regarding Citrix NS, VPX, and SDCs. How are you performing your authenticated scan via least privledge? I would assume running as Sudo or Su wouldnt be best. On the NS in the web gui are you creating local accounts or using a sec group with a domain user account to share the group between them? I would assume in the site created in R7 Insight we would just create an SSH account and scan the targets to get OS, Software versioning etc but would like to know what privledges would be needed on the NS for this said account to be able to get all the versioning details. Any experience or thoughts would be appreciated.

[(Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway | Rapid7 Blog)

1 Like

The information I got from our Citrix admin is that a user connecting over SSH cannot be dropped directly into the shell - the user has to enter ‘shell’ at the CLI to be able to run any OS commands. And according to Rapid7 support, the InsightVM scanner cannot be configured to issue the shell command first, so authenticated scans don’t really achieve anything.

If anyone knows different, I’l love to know.

1 Like

I would also be interested in any information on this. It would be nice to assess our NetScaler devices.

If you’re not doing full authenticated vulnerability scans, is anyone successfully performing discovery scans on management ports? I’d be interested in at the very least pulling versioning information so we know what we are vulnerable to without relying on Citrix team.

1 Like