Citrix published a security bulletin for 11 security flaws in its networking products, Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. These critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the authentication virtual servers.
11 security flaws
According to the company, the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers. Also, Citrix-managed Gateway is not affected. Among the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
The following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities:
• Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
• Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
• Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
• Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
• NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
• Citrix SD-WAN WANOP 11.1.1a and later releases
• Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
• Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
• Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
The company also said that these vulnerabilities were not connected to a previously fixed zero-day NetScaler flaw (tagged as CVE-2019-19781) that allowed bad actors to perform arbitrary code execution even without proper authentication.
According to the announcement, three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Citrix recommendations reduce the risk. The company also has added staff to its technical support call centers and are prepared to assist its customers.
Fermin S. Jerna, Chief Information Security Officer at Citrix, wrote a blog post, saying,
“Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.
Citrix recommended customers to download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.