[German]There are critical vulnerabilities in various Citrix products. The vendor has released security updates for Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance. Administrators should urgently install the updates.
A blog reader has informed me by mail (thanks for that) that Citrix has published a security advisory about the vulnerabilities as of July 7, 2020. These vulnerabilities were discovered by external security researchers from Akamai, Digital 14 etc. and reported to the vendor.
Multiple vulnerabilities have been discovered in Citrix Application Delivery Controller (ADC, formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO and 5100-WO.
(Citrix Vulnerabilities, Click to zoom)
These vulnerabilities, if exploited, can lead to a number of security problems. Several attack scenarios are possible.
The management interface as a point of attack
For example, attacks on the management interface make it possible:
- system compromise by an unauthenticated user on the managed network.
- System compromise through Cross Site Scripting (XSS) attacks on the management interface
- Creating a download link for the device that, if downloaded and then run by an unauthenticated user on the management network, can lead to the compromise of their local computer.
Customers who have configured their systems in accordance with Citrix recommendations have significantly reduced their risk of attacks on the management interface.
Virtual IP (VIP) as point of attack
The vulnerabilities additionally allow attacks that can be applied to a virtual IP (VIP).
- Denial of service either against the virtual gateway or authentication servers by an unauthenticated user (the virtual server with load balancing is not affected).
- Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only detect whether a TLS connection to the port is possible and cannot continue to communicate with the end devices.
Customers who have neither the virtual gateway nor authentication server enabled are not exposed to the risk of attacks applicable to these servers. Other virtual servers, such as virtual servers with load balancing and content switching, are not affected by these problems.
Vulnerability in Citrix Gateway Plug-in for Linux
In addition, a vulnerability has been found in the Citrix Gateway Plug-in for Linux that would allow a locally logged on user of a Linux system on which this plug-in is installed to increase his privileges to an administrator account on that computer.
The following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP fix the vulnerabilities
- Citrix ADC and Citrix Gateway 13.0-58.30 and later versions
- Citrix ADC and NetScaler Gateway 12.1-57.18 and later versions 12.1
- Citrix ADC and NetScaler Gateway 12.0-63.21 and later versions 12.0
- Citrix ADC and NetScaler Gateway 11.1-64.14 and later versions 11.1
- NetScaler ADC and NetScaler Gateway 10.5-70.18 and later versions 10.5
- Citrix SD-WAN WANOP 11.1.1a and later versions
- Citrix SD-WAN WANOP 11.0.3d and later versions 11.0
- Citrix SD-WAN WANOP 10.2.7 and later versions 10.2
- Citrix Gateway-Plug-in for Linux 220.127.116.11 and later versions
Builds with fixed vulnerabilities have been released for all supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. Citrix strongly recommends customers to install these updates immediately. The latest builds can be downloaded from the following download addresses
Customers who are not able to upgrade to the latest version immediately are advised to ensure that access to the management interface is restricted. Further information can be found here.
Users with Citrix Gateway plug-in for Linux should log in to an upgraded version of Citrix Gateway and select “Network VPN Mode”. Citrix Gateway will then prompt the user to update. Customers with the Citrix Gateway service managed by Citrix do not need to take any action.
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)
Citrix vulnerability: New updates and scanners for testing
Cyber attacks on Citrix: City of Brandenburg and community Stahnsdorf offline
Tip: Citrix StoreFront and SSL Certificates
Ragnarok Ransomware targets Citrix ADC, stops Defender
New vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 in Citrix Gateway
Vulnerability in Citrix Apps put companies at risk
Citrix Workspace-App comes w/o VC++ Runtime from V1904