Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of system compromise by an unauthenticated user on the management network.
THREAT INTELLIGENCE:
Various trusted third parties have identified increasing adversarial activity regarding these vulnerabilities.
-
Citrix ADC and Citrix Gateway versions prior to 13.0-58.30
-
Citrix ADC and NetScaler Gateway versions prior to 12.1-57.18 and 12.1
-
Citrix ADC and NetScaler Gateway versions prior to 12.0-63.21 and 12.0 releases
-
Citrix ADC and NetScaler Gateway versions prior to 11.1-64.14 and 11.1 releases
-
NetScaler ADC and NetScaler Gateway versions prior to 10.5-70.18 and 10.5 releases
-
Citrix SD-WAN WANOP versions prior to 11.1.1a
-
Citrix SD-WAN WANOP versions prior to 11.0.3d and 11.0
-
Citrix SD-WAN WANOP versions prior to 10.2.7 and 10.2 releases
-
Citrix Gateway Plug-in for Linux versions prior to 1.0.0.137
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues including:
-
System compromise by an unauthenticated user on the management network.
-
System compromise through Cross Site Scripting (XSS) on the management interface
-
Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer.
-
Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected).
-
Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices.
-
In addition, a vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer.
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of system compromise by an unauthenticated user on the management network.
-
After appropriate testing, immediately apply patches provided by Citrix to vulnerable systems.
-
Remind users not to download, accept, or execute files from un-trusted or unknown sources.
-
Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
-
Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.
Citrix:
https://support.citrix.com/article/CTX276688
SANS:
https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Rece...
NCCGROUP:
https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities...
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8199