Security Alert (A20-09-05): Multiple Vulnerabilities in Citrix Products

Description:

Multiple vulnerabilities have been found in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP.  An attacker with unauthorised access to the management network would be allowed to launch a denial of service attack originating from the network. To exploit the privilege escalation vulnerability, the attacker must possess privilege to execute arbitrary commands on the management interface.  A remote attacker would also entice an authenticated user to open a specially crafted URL to exploit the code injection vulnerability.

Affected Systems:

• Citrix ADC and Citrix Gateway prior to version 13.0-64.35
• Citrix ADC and NetScaler Gateway prior to version 12.1-58.15
• Citrix ADC and NetScaler Gateway prior to version 11.1-65.12
• Citrix ADC 12.1-FIPS prior to version 12.1-55.187
• Citrix SD-WAN WANOP prior to version 11.2.1a
• Citrix SD-WAN WANOP prior to version 11.1.2a
• Citrix SD-WAN WANOP prior to version 11.0.3f
• Citrix SD-WAN WANOP prior to version 10.2.7b

Impact:

Depending on the vulnerability exploited, a successful attack could lead to code injection, denial of service and elevation of privileges on an affected system.

Recommendation:

Citrix has released new versions to address the vulnerabilities to mitigate the issue. The details could be found at the following URL:

https://support.citrix.com/article/CTX281474

Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://support.citrix.com/article/CTX281474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8245 (to CVE-2020-8247)