{"id":13720,"date":"2020-03-17T11:13:48","date_gmt":"2020-03-17T10:13:48","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13720"},"modified":"2020-03-17T11:13:48","modified_gmt":"2020-03-17T10:13:48","slug":"neue-schwachstellen-cve-2020-10110-cve-2020-10111-cve-2020-10112-in-citrix-gateway","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/03\/17\/neue-schwachstellen-cve-2020-10110-cve-2020-10111-cve-2020-10112-in-citrix-gateway\/","title":{"rendered":"New vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 in Citrix Gateway"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/17\/neue-schwachstellen-cve-2020-10110-cve-2020-10111-cve-2020-10112-in-citrix-gateway\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]There are three new (and previously unpatched) vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 in the Citrix Gateway Firmware, which allow attackers to retrieve information or bypass security features. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg02.met.vgwort.de\/na\/2292b8ee72c14015af46793bd2f680e7\" width=\"1\" height=\"1\">The vulnerabilities were discovered by the German SySS GmbH and reported to Citrix on 31 January 2020. The information was then disclosed on seclists on 6 March 2020. I became aware of this issue through the following tweet by Thorsten E. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"sl\" dir=\"ltr\">Citrix ADC Triple CVE Month CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 <a href=\"https:\/\/t.co\/ntGRtFzu9Q\">https:\/\/t.co\/ntGRtFzu9Q<\/a><\/p>\n<p>\u2014 Thorsten E. (@endi24) <a href=\"https:\/\/twitter.com\/endi24\/status\/1239804173153157120?ref_src=twsrc%5Etfw\">March 17, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The linked post on LinkedIn addresses the three vulnerabilities <a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/7\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10110<\/a>, <a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/11\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10111<\/a>, <a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/8\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10112<\/a>. At first I thought 'why didn't you notice that'. After a short research I found out about the security information <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Warnmeldungen\/DE\/CB\/2020\/03\/warnmeldung_cb-k20-0201_update_1.html\" target=\"_blank\" rel=\"noopener noreferrer\">CB-K20\/0201 Update 1<\/a> from German BSI (and an English article on <a href=\"https:\/\/www.cybersecurity-help.cz\/vdb\/SB2020030805?affChecked=1\" target=\"_blank\" rel=\"noopener noreferrer\">this security site<\/a>), which contains a compact summary of the facts. In the following I would like to provide some information for Citrix admins.&nbsp; <\/p>\n<h3>What is Citrix Gateway?<\/h3>\n<p>The <a href=\"https:\/\/www.citrix.com\/products\/citrix-gateway\/\" target=\"_blank\" rel=\"noopener noreferrer\">Citrix Gateway<\/a> is a customer-managed solution that can be deployed on premises or on any public cloud, such as AWS, Azure, or Google Cloud Platform. Citrix Gateway provides users with secure access and single sign-on to all the virtual, SaaS and web applications they need to be productive.<\/p>\n<h3>Vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 <\/h3>\n<p>The vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 allow a remote attacker to gain access to information or bypass security measures without authentication. Affected are firmware versions 11.1, 12.0, 12.1 and subversions of the Citrix Gateway. These Security Advisories are available for the three vulnerabilities:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.syss.de\/fileadmin\/dokumente\/Publikationen\/Advisories\/SYSS-2020-004.txt\" target=\"_blank\" rel=\"noopener noreferrer\">SYSS Security Advisories vom 2020-03-08<\/a> (<a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/7\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10110<\/a>): Information Exposure Through Caching (CWE-512), the Citrix Security Response Team does not see a security impact and is not considered a vulnerability.\n<li><a href=\"https:\/\/www.syss.de\/fileadmin\/dokumente\/Publikationen\/Advisories\/SYSS-2020-004.txt\">SYSS Security Advisories vom 2020-03-08<\/a> (<a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/11\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10111<\/a>): Inconsistent Interpretation of HTTP Requests (CWE-444), Using HTTP\/1.2 in the request, the cache can be bypassed and in the PoC request the value will be processed correctly; the Citrix Security Response Team does not see a security impact and is not considered a vulnerability\n<li><a href=\"https:\/\/www.syss.de\/fileadmin\/dokumente\/Publikationen\/Advisories\/SYSS-2020-004.txt\">SYSS Security Advisories vom 2020-03-08<\/a> (<a href=\"https:\/\/seclists.org\/fulldisclosure\/2020\/Mar\/8\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-10112<\/a>): Cache Poisoning (CAPEC-141), If a client is asking for an URL with parameter \"value=A\", the<br \/>parameter will be processed and the response will be cached.&nbsp; If<br \/>another client is requesting the same URL but with a different<br \/>parameter \"value=B\", the request will be answered with the initial<br \/>response (\"value=A\") during the caching time (for 112 seconds). The Citrix Security Response Team does not see a security impact and is not considered a vulnerability<\/li>\n<\/ul>\n<p>The security researchers at SySS GmbH also rate the vulnerabilities as low, and the BSI has issued a security rating of 'medium'. The fact that the vulnerabilities can be exploited remotely is not very attractive. So far, Citrix has not yet provided any firmware updates or other public details. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]There are three new (and previously unpatched) vulnerabilities CVE-2020-10110, CVE-2020-10111, CVE-2020-10112 in the Citrix Gateway Firmware, which allow attackers to retrieve information or bypass security features.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580],"tags":[2338,2339,2340,2341,69],"class_list":["post-13720","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","tag-citrix-gateway","tag-cve-2020-10110","tag-cve-2020-10111","tag-cve-2020-10112","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13720"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13720\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}