Description of Problem
A Cross-Site Scripting (XSS) vulnerability has been identified in Citrix NetScaler Gateway, formerly known as Citrix Access Gateway Enterprise Edition and Citrix ADC formerly known as NetScaler ADC, that if exploited by an attacker with access to the NetScaler administrative user interface including the management interface, could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated user then the script may be able to gain access to the authenticated user's session or other potentially sensitive information.
This vulnerability has been assigned the following CVE number:
• CVE-2018-18517: Cross-Site Scripting vulnerability in Citrix NetScaler Gateway
This vulnerability is present in the following versions of Citrix NetScaler Gateway and Citrix ADC:
10.5.x earlier than version 10.5.69.3
11.1.x earlier than version 11.1.59.10
12.0.x earlier than version 12.0.58.18
12.1.x earlier than version 12.1.49.23
What Customers Should Do
This vulnerability has been addressed in new versions of the Citrix NetScaler Gateway and Citrix ADC software. Citrix recommends that customers upgrade their Citrix NetScaler Gateway and Citric ADC appliances to one of the following versions:
10.5.69.3 and later
11.1.59.10 and later
12.0.58.18 and later
12.1.49.23 and later
These upgrades can be obtained from the Citrix website at the following location:
Citrix NetScaler Gateway:
https://www.citrix.com/downloads/citrix-gateway/product-software.html
Citrix ADC:
https://www.citrix.com/downloads/citrix-adc/
Please note that a MyCitrix account is required to access this location.
Mitigating Factors
In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.
Acknowledgements
Citrix thanks Davide Peruzzi of gosecure.it for working with us on CVE-2018-18517 to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
October 23rd 2018 | Initial bulletin published |
October 25th 2018 | Updated description and version numbering |
November 5th 2018 | Updated description to include Citrix ADC |
November 15th 2018 | Updated applicable products |