Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE ID | Description | Vulnerability Type | Affected Products | Pre-conditions |
CVE-2020-8245 | An HTML Injection attack against the SSL VPN web portal
| CWE-79: Improper Neutralization of Input During Web Page Generation | Citrix ADC, Citrix Gateway | Requires an authenticated victim on the SSL VPN web portal who must open an attacker-controlled link in the browser |
CVE-2020-8246 | A denial of service attack originating from the management network
| CWE-400: Uncontrolled Resource Consumption
| Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated attacker with access to the management network |
CVE-2020-8247 | Escalation of privileges on the management interface | CWE-269: Improper Privilege Management | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | An attacker must possess privilege to execute arbitrary commands on the management interface |
The vulnerabilities are addressed in the following supported versions:
- Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
- Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
- Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
- Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
- Citrix SD-WAN WANOP 11.2.1a and later releases
- Citrix SD-WAN WANOP 11.1.2a and later releases
- Citrix SD-WAN WANOP 11.0.3f and later releases
- Citrix SD-WAN WANOP 10.2.7b and later releases
Customers should note that Citrix ADC and Citrix Gateway 12.0, which has reached End of Maintenance, is impacted by these vulnerabilities. Citrix recommends that customers using this version upgrade to a later version that addresses these issues.
Additionally, security enhancements to help protect customers against HTTP Request Smuggling attacks have been added to the above versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Customers may enable these enhancements using the Citrix ADC management interface. Please see https://support.citrix.com/article/CTX282268 for more information.
Mitigating Factors
Two of the three vulnerabilities originate in the management interface of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Doing so greatly diminishes risk of exploitation. Please see https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html for more information.
What Customers Should Do
Fixed builds have been released for supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix recommends that affected customers install these updates as soon as their patching schedule permits.
The latest builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/, https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/
Acknowledgements
Citrix would like to thank Knud of F-Secure, Arsenii Pustovit of Adversary Emulation team (Royal Bank of Canada), Moritz Bechler of SySS GmbH, Johan Georges from Wisearc Advisors in Sweden, Vasilis Maritsas of EY Consulting, Juan David Ordoñez Noriega, member of RedTeam CSIETE and Ricardo Iramar Dos Santos for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
To receive future security bulletins, customers can update their support notifications at https://support.citrix.com/user/alerts or subscribe to the RSS feed at https://support.citrix.com/feeds.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.html
Changelog
Date | Change |
2020-09-17 | Initial Publication |
2020-09-18 | Clarification on version 12.0 |