Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3476 Citrix SD-WAN Security Update 12 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix SD-WAN Publisher: Citrix Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11479 CVE-2019-11478 CVE-2019-11477 Reference: ASB-2019.0174 ASB-2019.0172 ESB-2019.3439 ESB-2019.3391 ASB-2019.0178.2 Original Bulletin: https://support.citrix.com/article/CTX256918 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix SD-WAN Security Update Reference: CTX256918 Category : Medium Created : 11 Sep 2019 Modified : 11 Sep 2019 Applicable Products o Citrix SD-WAN Description of Problem Multiple denial of service vulnerabilities have been identified in the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console. These vulnerabilities could permit a remote attacker to cause a denial of service by causing a host crash or by causing reduced service capacity due to resource exhaustion. The vulnerabilities have been assigned the following CVE numbers. o CVE-2019-11477: SACK Panic o CVE-2019-11478: SACK Slowness or Excess Resource Usage o CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values Mitigating Factors In order to protect against these vulnerabilities and web application related issues, Citrix recommends access to the management console be restricted. In situations where customers have deployed their management console in line with industry best practice, network access to this interface should already be restricted. Security Best Practices: 10.x - https://docs.citrix.com/en-us/netscaler-sd-wan/10/best-practices/ security-best-practices.html What Customers Should Do These vulnerabilities have been addressed in the following software versions: o NetScaler SD-WAN 10.0.8 o Citrix SD-WAN 10.2.4 o Citrix SD-WAN 11.0.1 Citrix recommends that customers using vulnerable software upgrade their management console to the new version or later as soon as possible. Customers using versions of the product that will not contain a fix (i.e. 9.3.x) are advised to consider upgrading to a version that does contain the fix (i.e. 11.0.1) The new software versions will be available on the Citrix website. Information on the available versions can be found at the following location: https://www.citrix.com/downloads/netscaler-sd-wan/ In line with general best practice, Citrix also recommends that customers limit access to the management console of the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console to trusted network traffic only. Changelog +--------------------------------------+--------------------------------------+ |Date |Change | +--------------------------------------+--------------------------------------+ |11th September 2019 |Initial Publication | +--------------------------------------+--------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXmc5WaOgq3Tt24GAQgVFA/+OxyF5+UVirtcq2L1MJudzJppJRwIKHCJ d1f8ZBoLVvyghDu9VdddFNnnUNRKq112wisIidUi1eBmRsy8Orhtr2Gt3s3Czg05 Wjf725ecSWFgCBmJ7dJwHjfubkiD3Xz0DDiqgBhh8bH1c8hMHCNWVYo2egYnYavR IyHQkdV0l7KfY7L78fZtq51762D8LQYu7V47y4zP8XPCzzLUO2XLeN6gwYbMEa6K ODrEspXeBMSwSEz3UYCtN2y6404Mkt5NXJs8QgpnJ+aCJWu0EXkL3O7Wfa4PsFpc oVMbCc2NEFojm3LJw3bjgTwZbxSsYdLZiPu9VB51HJ+dyx6NrzcZqWgXsLtYsiPA 1Gv6OffvL2dPtfm6bYnn9bILyWa6zIYHqPwkmpTjPBdlzJ9LympCHaWcM6X8O0hL ohho/9wHCfzXU4/iJTEtqUSRbLz+BBNUiA3OrQYmJf+tzHF6lIdVIEvyM1X/9x4S sknXLpVrxVV8ic9/Poou1NvKxir2+eZ77WXeTDmjaRQWzW5v2KbkNWDHXg/iy2NN nwqn8rzu7i+MzUQ+wiyiXv2QV1avqog4HPWu1oSFpCNOI+7COOCuumx6Ik4iSfqz Hc0hdwEcGiQlzQwMaufkTPxIPq/0v7T6VqRQdfaEMKVscu4jbEjFzdY+OBwHACwJ pREVK4VwFqo= =sCIa -----END PGP SIGNATURE-----