ESB-2019.0761 - [Virtual] Citrix Application Delivery Management (ADM) Agent: Access privileged data - Remote/unauthenticated 2019-03-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0761
    Citrix Application Delivery Management (ADM) Agent Security Update
                               12 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Application Delivery Management (ADM) Agent
Publisher:         Citrix
Operating System:  Virtualisation
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9548  

Original Bulletin: 
   https://support.citrix.com/article/CTX247738

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix Application Delivery Management (ADM) Agent Security Update

Reference: CTX247738

Category : Critical

Created  : 11 Mar 2019

Modified : 11 Mar 2019

Applicable Products

  o Citrix Application Delivery Management

Description of Problem

A vulnerability has been identified in Citrix Application Delivery Management
Agent that could allow an unauthenticated attacker with network access to the
management agent interface to obtain sensitive information. Disclosed
information could be used for privilege escalation beyond the agent system.

The following deployment scenarios are affected:

1. Citrix Application Delivery Management server on-prem with ADM Agents

2. Citrix Application Delivery Management on Cloud with ADM Agents deployed
on-prem or customer-managed cloud datacenters.

This vulnerability has been assigned the following CVE number:

o CVE-2019-9548: Information Disclosure Vulnerability in Citrix Application
Delivery Management Agent.

This vulnerability affects the following product versions:

o Citrix Application Delivery Management Agent version 12.1 earlier than build
50.33

o Citrix Application Delivery Management Agent Cloud version 13.0 earlier than
build 33.23

Mitigating Factors

In order to exploit this vulnerability, an attacker would require network
access to the management agent interface. In situations where the agent
management interface has been limited to only trusted network traffic the
exposure of the issue is limited.

Agents deployed as a part of valid (non-expired) Citrix Cloud subscription of
Citrix ADM updated to latest agent version 13.0.-33.23 or newer are unaffected.

What Customers Should Do

This vulnerability has been addressed in the following version of Citrix
Application Delivery Management Agent:

o Citrix Application Delivery Management Agent version 12.1 build 50.33 and
later

o Citrix Application Delivery Management Agent Cloud version 13.0 build 33.23
and later

Citrix strongly recommends that customers affected by this vulnerability
upgrade to a version of the Citrix Application Delivery Management Agent that
contains a fix for this issue as soon as possible.

The latest on-prem version is available on the Citrix website at the following
address:

https://www.citrix.com/downloads/citrix-application-management/

The latest Cloud version is available in the Citrix Cloud Application Delivery
Management portal under Networks > Agents

In line with industry best practice, Citrix also recommends that customers
limit access to the management agent interface to trusted network traffic only.

For deployments that are unable to apply the mitigating updates the following
document describes agent configuration changes that are available to mitigate
the issue until a time that the appropriate updates can be applied:

CTX247823 - Blocking network access to Citrix Application Delivery Management
Agent

Note: Blocking these ports will prevent CPX Auto-registration.

Changelog

+----------------------------------+------------------------------------------+
|Date                              |Change                                    |
+----------------------------------+------------------------------------------+
|11th March 2019                   |Initial Publication                       |
+----------------------------------+------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIcM0maOgq3Tt24GAQgyGhAAh1p4H/JnKdY5PvN9Rk792wzN62ue8n2/
g5CeOm1CDveqmVugTjw8fCnDMscTQQyOQnfYm0JB5beWzP37WOEhe6cF1JczuWn5
n3tpDfonssxTCbHsJcKU0ctM4tZKwCSmcQ6kbyb5ZFDTD7bJtmMG0Y5jeaEfF+BY
aOJ3qwsJ5lCHx/AThwdkBHw1fpCYzZrzKSycCR7w5HYDO/IiXxNt/RebUJpDBp3q
zeJrfBgBhyKxJ+KOwck5V5b3wdml561/KJf0EFfynEczrnyUynSdM0MFi+QlFD8X
U1ZeWb2ixyGh++A4bKKcCwDKomWOUSUqr7QyZ+qtlIEXSmhHI4/any6HgfQlo9NC
yWmX8pq+2yXte04VR+RtvgNYPoO5VDPbU/Kl6Znn43MlXXI8tV/2rgspqfPb5yjp
2e3V6CK28CD6NYQVovzV+jkrCFn1cfVt1902TeuMXN6VjC/SYJ9hCYHNAH7rJuf+
gLGBzrQD48AeE2DrlLjwqhVsMJWLJtR5aulqLCONoXeY6Ub70qX+msv/uAV0V9ID
ryXJ8unO50UMK/jCdYvjpV8Z/C4eif9a+tTi868nxdjelKHPNQieuL4Bfz5NM62y
nbS2BeE79ekMrm8It7xcDfxLJ7LJ8URld3b0KjZ3g7zQyMfQBh7y4o66m+c9k84N
j1O7S6y5uo4=
=uJ6Z
-----END PGP SIGNATURE-----

« Back to bulletins