[German]There are three new (and previously unpatched) vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 in the Citrix Gateway Firmware, which allow attackers to retrieve information or bypass security features.
The vulnerabilities were discovered by the German SySS GmbH and reported to Citrix on 31 January 2020. The information was then disclosed on seclists on 6 March 2020. I became aware of this issue through the following tweet by Thorsten E.
Citrix ADC Triple CVE Month CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 https://t.co/ntGRtFzu9Q
— Thorsten E. (@endi24) March 17, 2020
The linked post on LinkedIn addresses the three vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112. At first I thought ‘why didn’t you notice that’. After a short research I found out about the security information CB-K20/0201 Update 1 from German BSI (and an English article on this security site), which contains a compact summary of the facts. In the following I would like to provide some information for Citrix admins.
What is Citrix Gateway?
The Citrix Gateway is a customer-managed solution that can be deployed on premises or on any public cloud, such as AWS, Azure, or Google Cloud Platform. Citrix Gateway provides users with secure access and single sign-on to all the virtual, SaaS and web applications they need to be productive.
Vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112
The vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 allow a remote attacker to gain access to information or bypass security measures without authentication. Affected are firmware versions 11.1, 12.0, 12.1 and subversions of the Citrix Gateway. These Security Advisories are available for the three vulnerabilities:
- SYSS Security Advisories vom 2020-03-08 (CVE-2020-10110): Information Exposure Through Caching (CWE-512), the Citrix Security Response Team does not see a security impact and is not considered a vulnerability.
- SYSS Security Advisories vom 2020-03-08 (CVE-2020-10111): Inconsistent Interpretation of HTTP Requests (CWE-444), Using HTTP/1.2 in the request, the cache can be bypassed and in the PoC request the value will be processed correctly; the Citrix Security Response Team does not see a security impact and is not considered a vulnerability
- SYSS Security Advisories vom 2020-03-08 (CVE-2020-10112): Cache Poisoning (CAPEC-141), If a client is asking for an URL with parameter “value=A”, the
parameter will be processed and the response will be cached. If
another client is requesting the same URL but with a different
parameter “value=B”, the request will be answered with the initial
response (“value=A”) during the caching time (for 112 seconds). The Citrix Security Response Team does not see a security impact and is not considered a vulnerability
The security researchers at SySS GmbH also rate the vulnerabilities as low, and the BSI has issued a security rating of ‘medium’. The fact that the vulnerabilities can be exploited remotely is not very attractive. So far, Citrix has not yet provided any firmware updates or other public details.