Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition appliances. If exploited, the vulnerabilities could result in the following issues:
- CVE-2020-8299 – Denial of service attack from the same Layer 2 network segment
- CVE-2020-8300 – SAML authentication hijack via phishing attack to steal a valid user session
Mitigating Factors
- CVE-2020-8299 – The attacking machine must be on the same Layer 2 network segment
- CVE-2020-8300 – ADC or Gateway must be configured as a SAML SP or IdP
Affected versions
- CVE-2020-8299
- ADC and Gateway 13.0 before 13.0.76.29
- ADC and Gateway 12.1 before 12.1-61.18
- Other versions listed in https://support.citrix.com/article/CTX297155
- CVE-2020-8300
- ADC and Gateway 13.0 before 13.0-82.41
- ADC and Gateway 12.1 before 12.1-62.23
- Other versions listed in https://support.citrix.com/article/CTX297155
Recommended Action
- Update to a fixed version listed in the article below
- To resolve CVE-2020-8300, modify the device configuration per https://support.citrix.com/article/CTX316577
More Information
You can read more about the issue here or reach out to our team if you would like professional assistance.