Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2310
Citrix Application Delivery Controller, Citrix Gateway, and
Citrix SD-WAN WANOP appliance Security Update
8 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix Application Delivery Controller
Citrix Gateway
Citrix SD-WAN WANOP appliance
Publisher: Citrix
Operating System: Network Appliance
Impact/Access: Increased Privileges -- Existing Account
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8199 CVE-2020-8198 CVE-2020-8197
CVE-2020-8196 CVE-2020-8195 CVE-2020-8194
CVE-2020-8193 CVE-2020-8191 CVE-2020-8190
CVE-2020-8187 CVE-2019-18177
Original Bulletin:
https://support.citrix.com/article/CTX276688
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
Reference: CTX276688
Category : Critical
Created : 07 Jul 2020
Modified : 07 Jul 2020
Applicable Products
o Citrix ADC
o Citrix Gateway
o Citrix SD-WAN WANOP
Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as
NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix
SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These
vulnerabilities, if exploited, could result in a number of security issues
including:
Attacks that are limited to the management interface
o System compromise by an unauthenticated user on the management network.
o System compromise through Cross Site Scripting (XSS) on the management
interface
o Creation of a download link for the device which, if downloaded and then
executed by an unauthenticated user on the management network, may result
in the compromise of their local computer.
Mitigating Factors : Customers who have configured their systems in accordance
with Citrix recommendations in https://docs.citrix.com/en-us/citrix-adc/
citrix-adc-secure-deployment/secure-deployment-guide.html have significantly
reduced their risk from attacks to the management interface.
Attacks that are applicable to a Virtual IP (VIP)
o Denial of service against either the Gateway or Authentication virtual
servers by an unauthenticated user (the load balancing virtual server is
unaffected).
o Remote port scanning of the internal network by an authenticated Citrix
Gateway user. Attackers can only discern whether a TLS connection is
possible with the port and cannot communicate further with the end devices.
Mitigating Factors : Customers who have not enabled either the Gateway or
Authentication virtual servers are not at risk from attacks that are applicable
to those servers. Other virtual servers e.g. load balancing and content
switching virtual servers are not affected by these issues.
In addition, a vulnerability has been found in Citrix GatewayPlug-in for Linux
that would allow a local logged-on user of a Linux system with that plug-in
installed to elevate their privileges to an administrator account on that
computer.
The issues have the following identifiers:
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE ID |Vulnerability|Affected Products |Attacker privileges |Pre-conditions |
| |Type | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2019-18177 |Information |Citrix ADC, Citrix Gateway |Authenticated VPN user |Requires a configured SSL VPN endpoint |
| |disclosure | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8187 |Denial of |Citrix ADC, Citrix Gateway 12.0 and 11.1 only |Unauthenticated remote user |Requires a configured SSL VPN or AAA endpoint |
| |service | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
| |Local | | |This issue cannot be exploited directly. An attacker must |
|CVE-2020-8190 |elevation of |Citrix ADC, Citrix Gateway |Authenticated user on the NSIP |first obtain nobody privileges using another exploit |
| |privileges | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
| |Reflected | | |Requires a victim who must open an attacker-controlled |
|CVE-2020-8191 |Cross Site |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |link in the browser whilst being on a network with |
| |Scripting |WAN-OP | |connectivity to the NSIP |
| |(XSS) | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8193 |Authorization|Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated user with access to the |Attacker must be able to access the NSIP |
| |bypass |WAN-OP |NSIP | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8194 |Code |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |Requires a victim who must download and execute a |
| |Injection |WAN-OP | |malicious binary from the NSIP |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8195 |Information |Citrix ADC, Citrix Gateway, Citrix SDWAN |Authenticated user on the NSIP |- |
| |disclosure |WAN-OP | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8196 |Information |Citrix ADC, Citrix Gateway, Citrix SDWAN |Authenticated user on the NSIP |- |
| |disclosure |WAN-OP | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
|CVE-2020-8197 |Elevation of |Citrix ADC, Citrix Gateway |Authenticated user on the NSIP |- |
| |privileges | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
| |Stored Cross | | | |
|CVE-2020-8198 |Site |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |Requires a victim who must be logged in as an |
| |Scripting |WAN-OP | |administrator (nsroot) on the NSIP |
| |(XSS) | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
| |Local | |Local user on the Linux computer running |A pre-installed version of Citrix Gateway Plug-in for |
|CVE-2020-8199 |elevation of |Citrix Gateway Plug-in for Linux |Citrix Gateway Plug-in |Linux must be running |
| |privileges | | | |
+--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+
The following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP
remediate the vulnerabilities:
o Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
o Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
o Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
o Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
o NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
o Citrix SD-WAN WANOP 11.1.1a and later releases
o Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
o Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
o Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
What Customers Should Do
Fixed builds have been released for all supported versions of Citrix ADC,
Citrix Gateway and Citrix SD-WAN WANOP. Citrix strongly recommends that
customers immediately install these updates.
The latest builds can be downloaded from https://www.citrix.com/downloads/
citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://
www.citrix.com/downloads/citrix-sd-wan/ .
Customers who are unable to immediately update to the latest version are
advised ensure access to the management interface is restricted. Please see
https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/
secure-deployment-guide.html for more information.
Users with Citrix Gateway Plug-in for Linux should log-in to an updated version
of Citrix Gateway and select 'Network VPN mode'. Citrix Gateway will then
prompt the user to update.
Customers with Citrix-managed Citrix Gateway service do not need to take any
action.
Acknowledgements
Citrix thanks Laurent Geyer of Akamai, Muris Kurgas of Digital 14 (Xen1thLabs),
Maarten Boone (@staatsgeheim), Donny Maasland (@donnymaasland), Albert Shi of
Univision Network (Shanghai) Co., Ltd and Viktor Dragomiretskyy for working
with us to protect Citrix customers.
Changelog
+--------------------------+--------------------------------------------------+
|Date |Change |
+--------------------------+--------------------------------------------------+
|2020-07-07 |Initial publication |
+--------------------------+--------------------------------------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXwUtvuNLKJtyKPYoAQheFg/+Ijj6qmS3LOPJxjTooeP5hwWDJalhMJtb
8ty+Oo5qQmjj8ULpeKOhg6uOoKZrLxZsAfCg9yBc7NyXdFY9Qcx1pivOVtx9w6FJ
NQ7phP8g+QZRje0W00Q8J0rKhbzrnzfldSeRMc4zRPFCi9ypR5ul5OZnQ5RJDzh1
evjMijvnS+4NydQ3dTlnOlIZypQdVES5wQKnLuRH/DbXTG5VyRQ8e6UpGW0VEHGw
L+4avj87SUXGG1xFlqAmrBSLRYM365YZnHUFl+v+K07Htu11Zh6oozspoAqtKQem
fallm1fE0SayoIMhYQ0ZIoyT7zHthnQOfGWx0r6zo43l4pG7R7RJbidZVC1ZWE9v
r/a8YXSS3ZzUg9j75MomixcKCCd7MBAWB9qjfs1OCfklYWiaqg1WR4u9G05QRvgE
rlnIRMe1TIeq/foJGLOimVG+PC1pnltbmw6dxGYTzz2lRovKqEOEpJmmP1KXKHF/
dYhrVXn2pMBx74o83w9vy5iyCz9ne8rMl8YhbMuLpJipYyIXBXLlOm0j4KQutEkm
cS4lOrDNEpkoicmx7ZGkshssmTYavJw2lY84sjDEkJBUs1P/y1Q2rCf2zB9aBg+W
iewYQAmB7A9IedOImSwUydKRGhJlpzYRayWKaErCFM+QQp/GbXqCMQ85XKRfmjtT
+ns3NL2QhzQ=
=4j/P
-----END PGP SIGNATURE-----