Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3198.2 Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update 21 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Application Delivery Controller Citrix Gateway Citrix SD-WAN WANOP Publisher: Citrix Operating System: Network Appliance Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-8247 CVE-2020-8246 CVE-2020-8245 Original Bulletin: https://support.citrix.com/article/CTX281474 Revision History: September 21 2020: vender released minor update September 18 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update Reference: CTX281474 Category : Medium Created : 17 Sep 2020 Modified : 18 Sep 2020 Applicable Products o Citrix Gateway o Citrix SD-WAN WANOP o Citrix ADC Description of Problem Multiple vulnerabilities have been discovered in Citrix ADC(formerly known as NetScaler ADC), Citrix Gateway(formerly known as NetScaler Gateway)and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities,if exploited,could result in the following security issues: +-------------+--------------------+-------------------+-------------+----------------------+ |CVE ID |Description |Vulnerability Type |Affected |Pre-conditions | | | | |Products | | +-------------+--------------------+-------------------+-------------+----------------------+ |CVE-2020-8245|An HTML Injection |CWE-79: Improper |Citrix ADC, |Requires an | | |attack against the |Neutralization of |Citrix |authenticated victim | | |SSL VPN web portal |Input During Web |Gateway |on the SSL VPN web | | | |Page Generation | |portal who must open | | | | | |an attacker-controlled| | | | | |link in the browser | +-------------+--------------------+-------------------+-------------+----------------------+ |CVE-2020-8246|A denial of service |CWE-400: |Citrix ADC, |Unauthenticated | | |attack originating |Uncontrolled |Citrix |attacker with access | | |from the management |Resource |Gateway, |to the management | | |network |Consumption |Citrix SDWAN |network | | | | |WAN-OP | | +-------------+--------------------+-------------------+-------------+----------------------+ |CVE-2020-8247|Escalation of |CWE-269: Improper |Citrix ADC, |An attacker must | | |privileges on the |Privilege |Citrix |possess privilege to | | |management interface|Management |Gateway, |execute arbitrary | | | | |Citrix SDWAN |commands on the | | | | |WAN-OP |management interface | +-------------+--------------------+-------------------+-------------+----------------------+ The vulnerabilitiesare addressed inthe followingsupported versions: o Citrix ADC and Citrix Gateway 13.0-64.35 and later releases o Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases o Citrix ADC 12.1-FIPS 12.1-55.187 and later releases o Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases o Citrix SD-WAN WANOP 11.2.1a and later releases o Citrix SD-WAN WANOP 11.1.2a and later releases o Citrix SD-WAN WANOP 11.0.3f and later releases o Citrix SD-WAN WANOP 10.2.7b and later releases Customers should note that Citrix ADC and Citrix Gateway 12.0, which has reached End of Maintenance, isimpactedby these vulnerabilities. Citrix recommends that customers using this version upgrade to a later version that addresses these issues. Additionally, security enhancements to help protect customers against HTTP Request Smuggling attacks have been added to the above versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Customers may enable these enhancements using the Citrix ADC management interface. Please see https:// support.citrix.com/article/CTX282268 for more information. Mitigating Factors Two of the three vulnerabilities originate in the management interface of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix strongly recommends that network traffic to the appliance's management interface is separated, either physically or logically, from normal network traffic. Doing so greatly diminishes risk of exploitation. Please see https://docs.citrix.com/en-us/ citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html for more information. What Customers Should Do Fixed builds have been released for supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix recommends that affected customers install these updates as soon as their patching schedule permits. The latest builds can be downloaded from https://www.citrix.com/downloads/ citrix-adc/ , https://www.citrix.com/downloads/citrix-gateway/ and https:// www.citrix.com/downloads/citrix-sd-wan/ Acknowledgements Citrix would like to thank Knud of F-Secure, Arsenii Pustovit of Adversary Emulation team (Royal Bank of Canada), Moritz Bechler of SySS GmbH, Johan Georges from Wisearc Advisors in Sweden, Vasilis Maritsas of EY Consulting, Juan David Ordonez Noriega, member of RedTeam CSIETE and Ricardo Iramar Dos Santos for working with us to protect Citrix customers. Changelog +-------------------+---------------------------------------------------------+ |Date |Change | +-------------------+---------------------------------------------------------+ |2020-09-17 |Initial Publication | +-------------------+---------------------------------------------------------+ |2020-09-18 |Clarification on version 12.0 | +-------------------+---------------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX2gAeONLKJtyKPYoAQijvRAApsuI8kcVYnXzNkBGgD29Te7ywGkpMSAv S4xmNhzOTHvtFLkgcp6O9MHR/YIZmOaUZ6sLWsaavKdUjc3f6EX1eY16Vjt6j4JP Z/q2UsL/PUlk1PTqsyz6ORGNunz27kS2AD31JxetoWcBHPSgSF/q3oJ4SppSsp3R Y6R9ErisVusRhlbCDjAhunduP/lI5dy/2lVdsnsGtKLoe2gf3XzUYVvYwQ6yAjwx Db7YmVG2buUaKU87/wiHTBIAROtGn5zwHNn60K2VtxQK6UYqHyuVRoBccM+8q/Bb FglOfwCAxr/tn1xHkRUi0j5+ebtrMEMoq1d93+K7SvSAbeHbJHs5BYhW15XUzd0o 3fNNc2So+MK59PYsLV61PjGm8LIWWP4zArkPR8PGTD6Jo4IGnkxJD3tce0GJYnk/ e57OMzvOVALRElA1TljzIdETMzNW5ln9gJvPXXVusNbbeJMalOeC6S2SXPRZ2o4n 35meR9YEY08oWWPqojn5UdFk21M+hCtYhri/zchSqeHct4hQZ6cZDY40+gEATO8u wWg42FKQlZ1z0OA5YBIKzvOlHYBAvYCxtFGfHys1JBNPiU77+1WXJvtT/4H2/JaW YgS4sU9rd8RhTBNww+9rUTYp4DnQSKmXhZ+UszyvKBBwfHWzNlDSXilkxRiFgYrc VnuwhSPY6XY= =mqZv -----END PGP SIGNATURE-----