[German]Citrix has already issued a security bulletin regarding vulnerabilities and security updates for Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance on September 18, 2020.
Citrix Application Delivery Controller (ADC) is an application delivery and load balancing solution. Citrix Gateway is a customer managed solution that can be deployed on premise or in any public cloud, such as AWS, Azure or Google Cloud Platform. Citrix Gateway provides users with secure access and single sign-on for all virtual, SaaS and Web applications. Citrix SD-WAN products are appliances for virtualized wide area networks.
CERT Bund warning CB-K20/0912
German CERT Bund published the warning CB-K20/0912 on September 18, 2020. A remote, anonymous or authenticated attacker could exploit multiple vulnerabilities in Citrix Systems ADC, Citrix Systems Citrix Gateway and Citrix Systems SD-WAN to perform a cross-site scripting attack, cause a Denial of Service or extend his privileges.
Citrix Security Warning
The manufacturer Citrix also published the security warning CTX281474 on September 18, 2020. There the vulnerabilities are also admitted.
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
These vulnerabilities, if exploited, could lead to security issues, which are listed in detail in the security warning CTX281474. The vulnerabilities have been addressed by updates and are fixed in subsequent product versions:
- Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
- Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
- Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
- Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
- Citrix SD-WAN WANOP 11.2.1a and later releases
- Citrix SD-WAN WANOP 11.1.2a and later releases
- Citrix SD-WAN WANOP 11.0.3f and later releases
- Citrix SD-WAN WANOP 10.2.7b and later releases
Cisco points out that Citrix ADC and Citrix Gateway 12.0, which have reached the end of support, but are affected by these vulnerabilities. Citrix recommends that customers using this release upgrade to a later version for which one of the above updates is available (see CTX281474). (via)