Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

A vulnerability has been identified in the management interface of Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an attacker with access to the management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

• CVE-2019-18225: Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway

This vulnerability affects the following product versions:

• Citrix ADC and Citrix Gateway version 13.0 earlier than and including build 41.20
• Citrix ADC and NetScaler Gateway version 12.1 earlier than and including build 54.13
• Citrix ADC and NetScaler Gateway version 12.0 earlier than and including build 62.8
• Citrix ADC and NetScaler Gateway version 11.1 earlier than and including build 62.8
• Citrix ADC and NetScaler Gateway version 10.5 earlier than and including build 70.5

In order to exploit this vulnerability, an attacker would require access to the management interface of the Citrix ADC. In situations where customers have deployed their Citrix ADC and Citrix Gateway appliances in line with industry best practice, network access to this interface should already be restricted.

If the customer has previously changed the default internal user account or RPC node password in accordance with the guidelines in the Secure Deployment Guide, then this issue does not impact their deployment.

This vulnerability has been addressed in the following versions of Citrix ADC and Citrix Gateway:

• Citrix ADC and Citrix Gateway version 13.0 build 41.28 and later
• Citrix ADC and NetScaler Gateway version 12.1 build 54.16 and later
• Citrix ADC and NetScaler Gateway version 12.0 build 62.10 and later
• Citrix ADC and NetScaler Gateway version 11.1 build 63.9 and later
• Citrix ADC and NetScaler Gateway version 10.5 build 70.8 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix ADC or Citrix Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/citrix-adc/

https://www.citrix.com/downloads/citrix-gateway/

Customers may also choose to change the default internal user account or RPC node password as a workaround for this vulnerability. Please note that this change may affect existing HA, Cluster, or GSLB configuration on the deployment. Configuration instructions can be found in the steps included under “Internal user account or RPC node password” in the section titled “Change the default passwords” in the following secure deployment guide.   

https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted traffic only. Citrix has published additional guidance on the secure configuration of the management interfaces. This can be found at the following location:

https://support.citrix.com/article/CTX228148

Citrix thanks Marc-André Labonté of Desjardins for working with us to protect Citrix customers.