Vulmon
Description of Problem
A number of vulnerabilities have been identified in supported versions of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway.
The following vulnerabilities have been addressed:
- CVE-2018-6810: Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Directory Traversal Vulnerability
- CVE-2018-6808: Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Arbitrary File Download Vulnerability
- CVE-2018-6809: Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Privilege Escalation Vulnerability
- CVE-2018-6811: Multiple Cross-Site Scripting vulnerabilities in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway
- CVE-2018-6186: Citrix NetScaler VPX through NS12.0 53.13.nc allows an SSRF attack via the /rapi/read_url URI by an authenticated attacker who has a webapp account. The attacker can gain access to the nsroot account, and execute remote commands with root privileges.
The vulnerabilities affect the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway earlier than version 12.0 Build 57.19
- Citrix NetScaler ADC and NetScaler Gateway earlier than version 11.1 Build 56.15
- Citrix NetScaler ADC and NetScaler Gateway earlier than version 11.0 Build 71.18
- Citrix NetScaler ADC and NetScaler Gateway earlier than version 10.5 Build 67.10
What Customers Should Do
These vulnerabilities have been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
- Citrix NetScaler ADC and NetScaler Gateway version 12.0 Build 57.19 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.1 Build 56.15 and later
- Citrix NetScaler ADC and NetScaler Gateway version 11.0 Build 71.18 and later
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 Build 67.10 and later
Citrix recommends that affected customers upgrade their NetScaler appliances to a version of the appliance firmware that contains a fix for these issues as soon as their patching schedule allows.
These versions are available on the Citrix website at the following addresses:
Acknowledgements
Citrix thanks the Qualys Security Research Team (https://www.qualys.com) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 1st March 2018 | Initial publishing |