Citrix announced a set of vulnerabilities affecting Citrix ADC (NetScaler), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP appliances.
CVE ID | Description | Vulnerability Type | Affected Products | Pre-conditions |
CVE-2020-8245 | An HTML Injection attack against the SSL VPN web portal
|
CWE-79: Improper Neutralization of Input During Web Page Generation | Citrix ADC, Citrix Gateway | Requires an authenticated victim on the SSL VPN web portal who must open an attacker-controlled link in the browser |
CVE-2020-8246 | A denial of service attack originating from the management network
|
CWE-400: Uncontrolled Resource Consumption
|
Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated attacker with access to the management network |
CVE-2020-8247 | Escalation of privileges on the management interface | CWE-269: Improper Privilege Management | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | An attacker must possess privilege to execute arbitrary commands on the management interface |
The vulnerabilities are addressed in the following supported versions:
- Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
- Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
- Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
- Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
- Citrix SD-WAN WANOP 11.2.1a and later releases
- Citrix SD-WAN WANOP 11.1.2a and later releases
- Citrix SD-WAN WANOP 11.0.3f and later releases
- Citrix SD-WAN WANOP 10.2.7b and later releases
Earlier this year, another Citrix ADC vulnerability resulted in many compromised systems and remediation and rebuild work for firms that did not respond quickly. With that in mind, we recommend that affected customers install applicable updates as soon as their patching schedule permits. More info here: https://support.citrix.com/article/CTX281474
If our team can be helpful, please reach out.