{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-032.pdf"
    },
    "title": "Critical CITRIX Vulnerabilities",
    "serial_number": "2020-032",
    "publish_date": "08-07-2020 15:40:00",
    "description": "Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP. These vulnerabilities, if exploited, could result in a number of security issues including among others: (i) system compromise by an unauthenticated user on the management network, (ii) system compromise through Cross Site Scripting (XSS) on the management interface, (iii) denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user.",
    "url_title": "2020-032",
    "content_markdown": "---\ntitle: 'Critical CITRIX Vulnerabilities'\nversion: '1.0'\nnumber: '2020-032'\ndate: 'July 8, 2020'\n---\n\n_History:_\n\n* _08/07/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nMultiple vulnerabilities have been discovered in Citrix ADC\u202f(formerly known as NetScaler ADC), Citrix Gateway\u202f(formerly known as NetScaler Gateway)\u202fand Citrix SD-WAN WANOP. These vulnerabilities,\u202fif exploited,\u202fcould result in\u202fa number of\u202fsecurity issues\u202fincluding among others: (i) system compromise\u202fby\u202fan unauthenticated user on the management\u202fnetwork, (ii) system compromise through Cross Site Scripting (XSS) on the management interface, (iii) denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user [1].\n\n# Technical Details\n\nThe Citrix Security Bulletin lists 11 vulnerabilities in total. The details of the vulnerabilities and prerequisites to exploit them are provided in [1]. In particular, for attacks that are limited to the management interface pose the following security issues:\n\n- System compromise\u202fby\u202fan unauthenticated user on the management\u202fnetwork.\n- System compromise through Cross Site Scripting (XSS) on the management interface\n- Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer.\n\n**Mitigating Factors:** Customers who have configured their systems in accordance with Citrix recommendations in [3], have significantly reduced their risk from attacks to the management interface.\n\nFor attacks that are applicable to a Virtual IP (VIP), the security issues include:\n\n- Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected).\n- Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices.\n\n**Mitigating Factors:** Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.\n\n# Products Affected\n\n- Citrix ADC\u202f(formerly known as NetScaler ADC),\n- Citrix Gateway\u202f(formerly known as NetScaler Gateway),\n- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO\n\n# Recommendations\n\nThe following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities [1]:\u202f\n\n- Citrix ADC and Citrix Gateway 13.0-58.30 and later\u202freleases\n- Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases\n- Citrix ADC and NetScaler Gateway 12.0-63.21\u202fand later\u202f12.0 releases\n- Citrix ADC and NetScaler Gateway 11.1-64.14\u202fand later\u202f11.1 releases\n- NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases\n- Citrix SD-WAN WANOP 11.1.1a and later releases\n- Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases\n- Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases\n- Citrix Gateway Plug-in for Linux\u202f1.0.0.137 and later versions\n\n# References\n\n[1] <https://support.citrix.com/article/CTX276688>\n\n[2] <https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>\n\n[3] <https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/07/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Multiple vulnerabilities have been discovered in Citrix ADC\u202f(formerly known as NetScaler ADC), Citrix Gateway\u202f(formerly known as NetScaler Gateway)\u202fand Citrix SD-WAN WANOP. These vulnerabilities,\u202fif exploited,\u202fcould result in\u202fa number of\u202fsecurity issues\u202fincluding among others: (i) system compromise\u202fby\u202fan unauthenticated user on the management\u202fnetwork, (ii) system compromise through Cross Site Scripting (XSS) on the management interface, (iii) denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The Citrix Security Bulletin lists 11 vulnerabilities in total. The details of the vulnerabilities and prerequisites to exploit them are provided in [1]. In particular, for attacks that are limited to the management interface pose the following security issues:</p><ul><li>System compromise\u202fby\u202fan unauthenticated user on the management\u202fnetwork.</li><li>System compromise through Cross Site Scripting (XSS) on the management interface</li><li>Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer.</li></ul><p><strong>Mitigating Factors:</strong> Customers who have configured their systems in accordance with Citrix recommendations in [3], have significantly reduced their risk from attacks to the management interface.</p><p>For attacks that are applicable to a Virtual IP (VIP), the security issues include:</p><ul><li>Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected).</li><li>Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices.</li></ul><p><strong>Mitigating Factors:</strong> Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>Citrix ADC\u202f(formerly known as NetScaler ADC),</li><li>Citrix Gateway\u202f(formerly known as NetScaler Gateway),</li><li>Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>The following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities [1]:\u202f</p><ul><li>Citrix ADC and Citrix Gateway 13.0-58.30 and later\u202freleases</li><li>Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases</li><li>Citrix ADC and NetScaler Gateway 12.0-63.21\u202fand later\u202f12.0 releases</li><li>Citrix ADC and NetScaler Gateway 11.1-64.14\u202fand later\u202f11.1 releases</li><li>NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases</li><li>Citrix SD-WAN WANOP 11.1.1a and later releases</li><li>Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases</li><li>Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases</li><li>Citrix Gateway Plug-in for Linux\u202f1.0.0.137 and later versions</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/article/CTX276688\">https://support.citrix.com/article/CTX276688</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/\">https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html\">https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}