Description of Problem
A heap overflow vulnerability has been identified in Citrix NetScaler Gateway that could allow a remote, authenticated user to execute arbitrary commands on the NetScaler Gateway appliance as a root user.
The following vulnerability has been addressed:
- CVE-2017-7219 (High): Heap Overflow vulnerability in Citrix NetScaler Gateway Could Result in Arbitrary Code Execution
The vulnerability affects the following versions of Citrix NetScaler Gateway:
- Version 11.1 earlier than 11.1 Build 52.13
- Version 11.0 earlier than 11.0 Build 70.12
- Version 10.5 earlier than 10.5 Build 65.11
- Version 10.1 earlier than 10.1 Build 135.8/135.12
Please note that deployments of Citrix NetScaler ADC and NetScaler Web Application Firewall (WAF) that include an enabled NetScaler Gateway instance are affected by this vulnerability.
In deployments where NetScaler Gateway is deployed in ICA Proxy Mode only, the vulnerability does not affect the appliance firmware.
What Customers Should Do
This vulnerability has been addressed in the following versions of Citrix NetScaler Gateway:
- Citrix NetScaler Gateway version 11.1 Build 52.13 and later
- Citrix NetScaler Gateway version 11.0 Build 70.12 and later
- Citrix NetScaler Gateway version 10.5 Build 65.11 and later
- Citrix NetScaler Gateway version 10.1 Build 135.8/135.12 and later
These new versions can be downloaded from the following location:
https://www.citrix.com/downloads/netscaler-gateway.html
Citrix strongly recommends that customers using affected versions of NetScaler Gateway upgrade to a version of the appliance firmware that contains the fixes for this issue as soon as possible.
Acknowledgements
Citrix thanks Alain Mowat of SCRT (https://www.scrt.ch) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
12th April 2017 | Initial Publishing |
21st April 2017 | Update to Description of Problem |
9th May 2017 | Update to Description of Problem |
30th May 2017 | Update to Description of Problem |