Citrix today patched a set of 11 vulnerabilities found to affect its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products.
According to Citrix, these vulnerabilities are not related to CVE-2019-19781 remote code execution flaw the company patched in January 2020 and do not affect cloud versions of Citrix appliances.
The patches released today by Citrix fully resolve all the security issues, and customers are urged to apply them as soon as possible to defend against potential attacks designed to exploit them.
Citrix is not aware of any active exploitation of these issues in the wild and says that 5 of the 11 security vulnerabilities also have barriers preventing exploitation.
“There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack,” Citrix’s CISO Fermin J. Serna explains.
“And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.”
Even though the barriers lower the risk of exploitation, Citrix strongly recommends customers to apply patches as quickly as possible.
Denial of service, privilege escalation, and code injection
A security advisory with detailed information on these vulnerabilities and links to all the firmware updates is available on the Citrix website.
A list of all vulnerabilities fixed by Citrix in ADC, Gateway, and SD-WAN WANOP appliances can be found in the table embedded below, together with CVE IDs, the affected products, and pre-conditions needed for exploitation.
|CVE ID||Vulnerability Type||Affected Products||Attacker Privileges||Pre-conditions|
|CVE-2019-18177||Information disclosure||Citrix ADC, Citrix Gateway||Authenticated VPN user||Requires a configured SSL VPN endpoint|
|CVE-2020-8187||Denial of service||Citrix ADC, Citrix Gateway 12.0 and 11.1 only||Unauthenticated remote user||Requires a configured SSL VPN or AAA endpoint|
|CVE-2020-8190||Local elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit|
|CVE-2020-8191||Reflected Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must open an attacker-controlled link in the browser while being on a network with connectivity to the NSIP|
|CVE-2020-8193||Authorization bypass||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated user with access to the NSIP||Attacker must be able to access the NSIP|
|CVE-2020-8194||Code Injection||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must download and execute a malicious binary from the NSIP|
|CVE-2020-8195||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Authenticated user on the NSIP||–|
|CVE-2020-8196||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Authenticated user on the NSIP||–|
|CVE-2020-8197||Elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||–|
|CVE-2020-8198||Stored Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must be logged in as an administrator (nsroot) on the NSIP|
|CVE-2020-8199||Local elevation of privileges||Citrix Gateway Plug-in for Linux||Local user on the Linux computer running Citrix Gateway Plug-in||A pre-installed version of Citrix Gateway Plug-in for Linux must be running|
The following versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP remediate the vulnerabilities:
- Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
- Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
- Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
- Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
- NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
- Citrix SD-WAN WANOP 11.1.1a and later releases
- Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
- Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
- Citrix Gateway Plug-in for Linux 22.214.171.124 and later versions
If you are unable to immediately update to the latest version, you should ensure that access to the management interface is restricted using the steps detailed here.
Outcomes of successful exploitation
If successfully exploited, these vulnerabilities could lead to various security issues depending on the targeted area.
Thus, attacks that are limited to the management interface could lead to:
• System compromise by an unauthenticated user on the management network.
• System compromise through Cross Site Scripting (XSS) on the management interface
• Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer.
“Customers who have configured their systems in accordance with Citrix recommendations in https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html have significantly reduced their risk from attacks to the management interface,” Citrix explains.
Attacks that are applicable to a Virtual IP (VIP)could result in:
• Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected).
• Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices.
“Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers,” the company adds. “Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.”
One of the security issues patched today and found in the Citrix Gateway Plugin for Linux (tracked as CVE-2020-8199) can also be abused by local users to elevate privileges to an admin account.