The Buffer Overflow check detects attempts to cause a buffer overflow on the web server. If the application firewall detects that the URL, cookies, or header are longer than the specified maximum length in a request, it blocks that request because it might be an attempt to cause a buffer overflow.
The Buffer Overflow check prevents attacks against insecure operating-system or web-server software that can crash or behave unpredictably when it receives a data string that is larger than it can handle. Proper programming techniques prevent buffer overflows by checking incoming data and either rejecting or truncating overlong strings. Many programs, however, do not check all incoming data and are therefore vulnerable to buffer overflows. This issue especially affects older versions of web-server software and operating systems, many of which are still in use.
The Buffer Overflow security check allows you to configure the Block, Log, and Stats actions. In addition, you can also configure the following parameters:
To configure Buffer Overflow security check actions and other parameters by using the command line
If you use the command-line interface, you can add the following Buffer Overflow Check arguments to the set appfw profile <profileName> command:
In the configuration utility, you can configure the Buffer Overflow security check in the pane for the profile associated with your application.
To configure or modify the Buffer Overflow security check by using the configuration utility
The security check table displays the currently configured action settings for all the security checks. You have 2 options for configuration:
a. If you just want to enable or disable Block, Log, and Stats actions for Buffer Overflow, you can select or clear check boxes in the table, click OK, and then click Save and Close to close the Security Check pane.
b. If you want to configure additional options for this security check, double click Buffer Overflow, or select the row and click Action Settings, to display the following options:
Maximum URL Length.
Maximum Cookie Length.
Maximum Header Length.
After changing any of the above settings, click OK to save the changes and return to the Security Checks table. You can proceed to configure other security checks if needed. Click OK to save all the changes you have made in the Security Checks section, and then click Save and Close to close the Security Check pane.
When the log action is enabled, the Buffer Overflow security check violations are logged in the audit log as APPFW_BUFFEROVERFLOW_URL, APPFW_BUFFEROVERFLOW_COOKIE, and APPFW_BUFFEROVERFLOW_HDR violations. The application firewall supports both Native and CEF log formats. You can also send the logs to a remote syslog server.
If you use the configuration utility to review the logs, you can use the click-to-deploy feature to apply relaxations indicated by the logs.
To access the log messages by using the command line
Switch to the shell and tail the ns.logs in the /var/log/ folder to access the log messages pertaining to the Buffer overflow violations:
> tail -f /var/log/ns.log | grep APPFW_BUFFEROVERFLOW
Example of a CEF log message showing bufferOverflowMaxCookieLength violation in non-block mode
Oct 22 17:35:20 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_BUFFEROVERFLOW_COOKIE|6|src=10.217.253.62 geolocation=Unknown spt=41198 method=GET request=http://aaron.stratum8.net/FFC/sc11.html msg=Cookie header length(43) is greater than maximum allowed(16). cn1=119 cn2=465 cs1=owa_profile cs2=PPE1 cs3=wvOOOb+cJ2ZRbstZpyeNXIqLj7Y0001 cs4=ALERT cs5=2015 act=not blocked
Example of a CEF log message showing bufferOverflowMaxURLLength violation in non-block mode
Oct 22 18:39:56 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_BUFFEROVERFLOW_URL|6|src=10.217.253.62 geolocation=Unknown spt=19171 method=GET request=http://aaron.stratum8.net/FFC/sc11.html msg=URL length(39) is greater than maximum allowed(20). cn1=707 cn2=402 cs1=owa_profile cs2=PPE0 cs3=kW49GcKbnwKByByi3+jeNzfgWa80000 cs4=ALERT cs5=2015 act=not blocked
Example of a Native Format Log message showing bufferOverflowMaxHeaderLength violation in block mode
Oct 22 18:44:00 <local0.info> 10.217.31.98 10/22/2015:18:44:00 GMT ns 0-PPE-2 : default APPFW APPFW_BUFFEROVERFLOW_HDR 155 0 : 10.217.253.62 374-PPE2 khhBEeY4DB8V2D3H2sMLkXmfWnA0002 owa_profile Header(User-Agent) length(82) is greater than maximum allowed(10) : http://aaron.stratum8.net/ <blocked>
To access the log messages by using the configuration utility
The Citrix configuration utility includes a useful tool (Syslog Viewer) for analyzing the log messages. You have multiple options for accessing the Syslog Viewer:
The XML based Syslog Viewer provides various filter options for selecting only the log messages that are of interest to you. To select log messages for the Buffer Overflow check, filter by selecting APPFW in the dropdown options for Module. The Event Type list offers three options, APPFW_BUFFEROVERFLOW_URL, APPFW_BUFFEROVERFLOW_COOKIE, and APPFW_BUFFEROVERFLOW_HDR, to view all the log messages pertaining to buffer overflow security check. You can select one or more options to further refine your selection. For example, if you select the APPFW_BUFFEROVERFLOW_COOKIE check box and click the Apply button, only log messages pertaining to the Buffer Overflow security check violations for the Cookie header appear in the Syslog Viewer. If you place the cursor in the row for a specific log message, multiple options, such as Module, Event Type, Event ID, and Client IP, appear below the log message. You can select any of these options to highlight the corresponding information in the log message.
Click-to-Deploy: The configuration utility provides click-to-deploy functionality, which is currently supported only for the buffer overflow log messages pertaining to the URL Length violations. You can use the Syslog Viewer to not only view the triggered violations, but also execute informed decisions based on the observed lengths of the blocked messages. If the current value is too restrictive and is triggering false positives, you can select a message and deploy it to replace the current value with the URL length value seen in the message. The log messages must be in CEF log format for this operation. If the relaxation can be deployed for a log message, a check box appears at the right edge of the Syslog Viewer box in the row. Select the check box, and then select an option from the Action list to deploy the relaxation. Edit & Deploy, Deploy, and Deploy All are available as Action options. You can use the APPFW_BUFFEROVERFLOW_URL filter to isolate all the log messages pertaining to the configured URL length violations.
If you select an individual log message, all three action options Edit & Deploy, Deploy, and Deploy All are available. If you select Edit & Deploy, the Buffer Overflow settings dialogue is displayed. The new URL length that was observed in the request is inserted into the Maximum URL length input field. If you click Close without any edits, the current configured values remain unchanged. If you click the OK button, the new value of the Maximum URL length replaces the previous value.
The block, log and stats action check boxes are unchecked in the displayed Buffer Overflow settings dialogue, and need to be reconfigured if you select the Edit & Deploy option. Make sure to enable these check boxes before clicking OK, otherwise the new URL length will get configured but the actions will be set to none.
If you select the check boxes for multiple log messages, you can use the Deploy or Deploy All option. If the deployed log messages have different URL lengths, the configured value gets replaced by the highest URL Length value observed in the selected messages. Deploying the rule results only in changing the bufferOverflowMaxURLLength value. Configured actions are retained and remain unchanged.
To use Click-to-Deploy functionality in the configuration utility
When the stats action is enabled, the counter for the Buffer Overflow Security Check is incremented when the application firewall takes any action for this security check. The statistics are collected for Rate and Total count for Traffic, Violations, and Logs. The size of an increment of the log counter can vary depending on the configured settings. For example, if the block action is enabled, a request for a page that contains three Buffer Overflow violations increments the stats counter by one, because the page is blocked as soon as the first violation is detected. However, if block is disabled, processing the same request increments the statistics counter for violations and the logs by three, because each violation generates a separate log message.
To display Buffer Overflow Security Check statistics by using the command line
At the command prompt, type:
> sh appfw stats
To display stats for a specific profile, use the following command:
> stat appfw profile <profile name>
To display Buffer Overflow statistics by using the configuration utility
In release 10.5.e (in a few interim enhancement builds prior to 59.13xx.e build) as well as in the 11.0 release (in builds prior to 65.x), application firewall processing of the Cookie header was changed. In those releases, every cookie is evaluated individually, and if the length of any one cookie received in the Cookie header exceeds the configured BufferOverflowMaxCookieLength, the Buffer Overflow violation is triggered. As a result of this change, requests that were blocked in 10.5 and earlier release builds might be allowed, because the length of the entire cookie header is not calculated for determining the cookie length. In some situations, the total cookie size forwarded to the server might be larger than the accepted value, and the server might respond with "400 Bad Request".
Note that this change has been reverted. The behavior in the 10.5.e ->59.13xx.e and subsequent 10.5.e enhancement builds as well as in the 11.0 release 65.x and subsequent builds is now similar to that of the non-enhancement builds of release 10.5. The entire raw Cookie header is now considered when calculating the length of the cookie. Surrounding spaces and the semicolon (;) characters separating the name-value pairs are also included in determining the cookie length.