Admin Portal and Responders

[Brad Ordner]

Hi, 

 

Wanted to clarify if this part of Mitigation Steps for CVE-2019-19781 is for the HTTPs management traffic? We have Private IPs assigned to our NSIPs and did not deploy this code as they are not public facing IPs -

 

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"

 

The ‘skip_systemaccess_policyeval’ Flag

This flag ensures that the responder policies are evaluated on the admin portal traffic.
If the admin portal IP is in a secured environment, this knob is not needed. 
Enabling this might cause some obstruction to some admin pages. In such a case, the customer can toggle the flag during their maintenance window and set it back to the value ‘1’.

 

We tried to deploy it in our Azure VPXs and the entire thing lost its licence. So don't really want to deploy on our On Prem devices. 

 

Thanks

 

Brad

 

[Mark Du Plessis]

I've discovered on firmware 12.1.54.x (might be on other version as well) that this "fix" breaks some GUI functions. If you only use the Responder policy and do not apply the file skip_systemaccess_policyeval=0 part of the fix the GUI is not affected. 

 

If the full fix is applied, try the following:

Go to any CAG ( Gateway vServer) that has STAs applied to them and try view the STAs. You should receive an error popup and then no STA servers shown.