Vulmon
Description of Problem
A vulnerability has been identified affecting Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, platforms which could result in privilege escalation via layer 2 network access on all network interfaces.
This vulnerability has been assigned the following CVE:
• CVE-2019-0140: Buffer overflow in firmware for Intel(R) Ethernet 700 Series Controllers
The following MPX/SDX series are affected:
• 8900
• 14000/14000-40G/14000-40S/14000-40C
• 15000/15000-50G
• 25000-40G
• 26000/26000-50S
Only 10G/25G/40G ports are affected by this vulnerability.
Mitigating Factors
An attacker must have Layer 2 access to leverage this vulnerability, therefore limiting the exposure to peer switch access. This issue is mitigated if Link Layer Discovery Protocol (LLDP) is disabled at the peer switch connecting the MPX/SDX.
What Customers Should Do
Customers with affected versions of Citrix ADC MPX are recommended to upgrade the appliance firmware to one of the following versions:
- 13.0 build 58.30 and later
- 12.1 build 56.22 and later
- 11.1 build 64.11 and later
Customers must then upgrade the network interface card firmware by following the guidance in the following article: https://docs.citrix.com/en-us/citrix-hardware-platforms/mpx/fortville-nic-firmware-upgrade.html.
Please note that after the network interface card firmware version is upgraded on the MPX, customers can no longer downgrade the appliance firmware to anything before the aforementioned versions.
Customers with affected versions of Citrix ADC SDX are recommended to upgrade the appliance firmware to a version which includes a firmware update for the vulnerable network interface card:
- 13.0 build 58.30 and later
- 12.1 build 57.18 and later
- 11.1 build 65.10 and later
Please note, that customers must first upgrade any VPX instances running on the appliance and then upgrade the SVM. More details are available in the following article: https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/fortville-nic-firmware-upgrade-on-sdx.html.
Alternatively, customers who are unable to upgrade are strongly recommended to Disable Link Layer Discovery Protocol (LLDP) at the peer switch connecting the MPX or SDX.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 2019-11-12 | Initial Publication |
| 2020-10-21 | Updated guidance |
| 2022-01-18 | Fixed typos in affected MPX/SDX series section |