Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2310 Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update 8 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Application Delivery Controller Citrix Gateway Citrix SD-WAN WANOP appliance Publisher: Citrix Operating System: Network Appliance Impact/Access: Increased Privileges -- Existing Account Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote/Unauthenticated Access Confidential Data -- Existing Account Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8199 CVE-2020-8198 CVE-2020-8197 CVE-2020-8196 CVE-2020-8195 CVE-2020-8194 CVE-2020-8193 CVE-2020-8191 CVE-2020-8190 CVE-2020-8187 CVE-2019-18177 Original Bulletin: https://support.citrix.com/article/CTX276688 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update Reference: CTX276688 Category : Critical Created : 07 Jul 2020 Modified : 07 Jul 2020 Applicable Products o Citrix ADC o Citrix Gateway o Citrix SD-WAN WANOP Description of Problem Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues including: Attacks that are limited to the management interface o System compromise by an unauthenticated user on the management network. o System compromise through Cross Site Scripting (XSS) on the management interface o Creation of a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, may result in the compromise of their local computer. Mitigating Factors : Customers who have configured their systems in accordance with Citrix recommendations in https://docs.citrix.com/en-us/citrix-adc/ citrix-adc-secure-deployment/secure-deployment-guide.html have significantly reduced their risk from attacks to the management interface. Attacks that are applicable to a Virtual IP (VIP) o Denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user (the load balancing virtual server is unaffected). o Remote port scanning of the internal network by an authenticated Citrix Gateway user. Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices. Mitigating Factors : Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues. In addition, a vulnerability has been found in Citrix GatewayPlug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer. The issues have the following identifiers: +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE ID |Vulnerability|Affected Products |Attacker privileges |Pre-conditions | | |Type | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2019-18177 |Information |Citrix ADC, Citrix Gateway |Authenticated VPN user |Requires a configured SSL VPN endpoint | | |disclosure | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8187 |Denial of |Citrix ADC, Citrix Gateway 12.0 and 11.1 only |Unauthenticated remote user |Requires a configured SSL VPN or AAA endpoint | | |service | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ | |Local | | |This issue cannot be exploited directly. An attacker must | |CVE-2020-8190 |elevation of |Citrix ADC, Citrix Gateway |Authenticated user on the NSIP |first obtain nobody privileges using another exploit | | |privileges | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ | |Reflected | | |Requires a victim who must open an attacker-controlled | |CVE-2020-8191 |Cross Site |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |link in the browser whilst being on a network with | | |Scripting |WAN-OP | |connectivity to the NSIP | | |(XSS) | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8193 |Authorization|Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated user with access to the |Attacker must be able to access the NSIP | | |bypass |WAN-OP |NSIP | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8194 |Code |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |Requires a victim who must download and execute a | | |Injection |WAN-OP | |malicious binary from the NSIP | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8195 |Information |Citrix ADC, Citrix Gateway, Citrix SDWAN |Authenticated user on the NSIP |- | | |disclosure |WAN-OP | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8196 |Information |Citrix ADC, Citrix Gateway, Citrix SDWAN |Authenticated user on the NSIP |- | | |disclosure |WAN-OP | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ |CVE-2020-8197 |Elevation of |Citrix ADC, Citrix Gateway |Authenticated user on the NSIP |- | | |privileges | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ | |Stored Cross | | | | |CVE-2020-8198 |Site |Citrix ADC, Citrix Gateway, Citrix SDWAN |Unauthenticated remote user |Requires a victim who must be logged in as an | | |Scripting |WAN-OP | |administrator (nsroot) on the NSIP | | |(XSS) | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ | |Local | |Local user on the Linux computer running |A pre-installed version of Citrix Gateway Plug-in for | |CVE-2020-8199 |elevation of |Citrix Gateway Plug-in for Linux |Citrix Gateway Plug-in |Linux must be running | | |privileges | | | | +--------------------+-------------+----------------------------------------------+------------------------------------------+----------------------------------------------------------+ The following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities: o Citrix ADC and Citrix Gateway 13.0-58.30 and later releases o Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases o Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases o Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases o NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases o Citrix SD-WAN WANOP 11.1.1a and later releases o Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases o Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases o Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions What Customers Should Do Fixed builds have been released for all supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. Citrix strongly recommends that customers immediately install these updates. The latest builds can be downloaded from https://www.citrix.com/downloads/ citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https:// www.citrix.com/downloads/citrix-sd-wan/ . Customers who are unable to immediately update to the latest version are advised ensure access to the management interface is restricted. Please see https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/ secure-deployment-guide.html for more information. Users with Citrix Gateway Plug-in for Linux should log-in to an updated version of Citrix Gateway and select 'Network VPN mode'. Citrix Gateway will then prompt the user to update. Customers with Citrix-managed Citrix Gateway service do not need to take any action. Acknowledgements Citrix thanks Laurent Geyer of Akamai, Muris Kurgas of Digital 14 (Xen1thLabs), Maarten Boone (@staatsgeheim), Donny Maasland (@donnymaasland), Albert Shi of Univision Network (Shanghai) Co., Ltd and Viktor Dragomiretskyy for working with us to protect Citrix customers. Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-07-07 |Initial publication | +--------------------------+--------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwUtvuNLKJtyKPYoAQheFg/+Ijj6qmS3LOPJxjTooeP5hwWDJalhMJtb 8ty+Oo5qQmjj8ULpeKOhg6uOoKZrLxZsAfCg9yBc7NyXdFY9Qcx1pivOVtx9w6FJ NQ7phP8g+QZRje0W00Q8J0rKhbzrnzfldSeRMc4zRPFCi9ypR5ul5OZnQ5RJDzh1 evjMijvnS+4NydQ3dTlnOlIZypQdVES5wQKnLuRH/DbXTG5VyRQ8e6UpGW0VEHGw L+4avj87SUXGG1xFlqAmrBSLRYM365YZnHUFl+v+K07Htu11Zh6oozspoAqtKQem fallm1fE0SayoIMhYQ0ZIoyT7zHthnQOfGWx0r6zo43l4pG7R7RJbidZVC1ZWE9v r/a8YXSS3ZzUg9j75MomixcKCCd7MBAWB9qjfs1OCfklYWiaqg1WR4u9G05QRvgE rlnIRMe1TIeq/foJGLOimVG+PC1pnltbmw6dxGYTzz2lRovKqEOEpJmmP1KXKHF/ dYhrVXn2pMBx74o83w9vy5iyCz9ne8rMl8YhbMuLpJipYyIXBXLlOm0j4KQutEkm cS4lOrDNEpkoicmx7ZGkshssmTYavJw2lY84sjDEkJBUs1P/y1Q2rCf2zB9aBg+W iewYQAmB7A9IedOImSwUydKRGhJlpzYRayWKaErCFM+QQp/GbXqCMQ85XKRfmjtT +ns3NL2QhzQ= =4j/P -----END PGP SIGNATURE-----