Vulnerability Description
Recently, NSFOCUS detected that Citrix had released a security bulletin on the remediation of 11 vulnerabilities in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. Details are as follows:
| CVE ID | Vulnerability Type | Affected Products | Attacker Privileges | Pre-conditions |
| CVE-2019-18177 | Information disclosure | Citrix ADC, Citrix Gateway | Authenticated VPN user | Requires a configured SSL VPN endpoint |
| CVE-2020-8187 | Denial of service | Citrix ADC, Citrix Gateway 12.0 and 11.1 only | Unauthenticated remote user | Requires a configured SSL VPN or AAA endpoint |
| CVE-2020-8190 | Local elevation of privileges | Citrix ADC, Citrix Gateway | Authenticated user on the NSIP | This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit. |
| CVE-2020-8191 | Reflected cross-site scripting (XSS) | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must open an attacker-controlled link in the browser whilst being on a network with connectivity to the NSIP |
| CVE-2020-8193 | Authorization bypass | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated user with access to the NSIP | Attacker must be able to access the NSIP. |
| CVE-2020-8194 | Code injection | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must download and execute a malicious binary from the NSIP |
| CVE-2020-8195 | Information disclosure | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Authenticated user on the NSIP | – |
| CVE-2020-8196 | Information disclosure | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Authenticated user on the NSIP | – |
| CVE-2020-8197 | Elevation of privileges | Citrix ADC, Citrix Gateway | Authenticated user on the NSIP | – |
| CVE-2020-8198 | Stored cross-site scripting (XSS) | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must be logged in as an administrator (nsroot) on the NSIP |
| CVE-2020-8199 | Local elevation of privileges | Citrix Gateway Plug-in for Linux | Local user on the Linux computer running Citrix Gateway Plug-in | A pre-installed version of Citrix Gateway Plug-in for Linux must be running. |
At present, PoCs of some vulnerabilities have been available on the Internet. Users are advised to upgrade Citrix products to a fixed version as soon as possible.
Citrix is a platform that integrates the functions of network management, firewalls, and gateways. Citrix ADC is a comprehensive application delivery and load balancing solution for monolithic and microservice-based applications. Citrix SD-WAN WANOP is used to optimize WAN links.
Reference link:
Scope of Impact
Affected Versions
- Citrix ADC and Citrix Gateway < 13.0-58.30
- Citrix ADC and NetScaler Gateway < 12.1-57.18
- Citrix ADC and NetScaler Gateway < 12.0-63.21
- Citrix ADC and NetScaler Gateway < 11.1-64.14
- NetScaler ADC and NetScaler Gateway < 10.5-70.18
- Citrix SD-WAN WANOP < 11.1.1a
- Citrix SD-WAN WANOP < 11.0.3d
- Citrix SD-WAN WANOP < 10.2.7
- Citrix Gateway Plug-in for Linux < 1.0.0.137
Unaffected Versions
- Citrix ADC and Citrix Gateway >= 13.0-58.30
- Citrix ADC and NetScaler Gateway >= 12.1-57.18
- Citrix ADC and NetScaler Gateway >= 12.0-63.21
- Citrix ADC and NetScaler Gateway >= 11.1-64.14
- NetScaler ADC and NetScaler Gateway 10.5-70.18
- Citrix SD-WAN WANOP >= 11.1.1a
- Citrix SD-WAN WANOP >= 11.0.3d
- Citrix SD-WAN WANOP >= 10.2.7
- Citrix Gateway Plug-in for Linux >= 1.0.0.137
Mitigation
Official Fix
Currently, the vendor has released versions to fix the vulnerabilities in all the products with official support. Affected users are advised to upgrade as soon as possible by downloading appropriate versions from the following link:
Note: Users of Citrix Gateway Plug-in for Linux need to log in to an updated version of Citric Gateway, choose the “Network VPN mode”, and then complete the upgrade as prompted.
Workarounds
Users unable to immediately upgrade to the latest version are advised to take measures to restrict access to the management interface. For more information, see the official guide from the vendor:
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
