Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3198.2
Citrix Application Delivery Controller, Citrix Gateway, and
Citrix SD-WAN WANOP appliance Security Update
21 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix Application Delivery Controller
Citrix Gateway
Citrix SD-WAN WANOP
Publisher: Citrix
Operating System: Network Appliance
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8247 CVE-2020-8246 CVE-2020-8245
Original Bulletin:
https://support.citrix.com/article/CTX281474
Revision History: September 21 2020: vender released minor update
September 18 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
Reference: CTX281474
Category : Medium
Created : 17 Sep 2020
Modified : 18 Sep 2020
Applicable Products
o Citrix Gateway
o Citrix SD-WAN WANOP
o Citrix ADC
Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC(formerly known as
NetScaler ADC), Citrix Gateway(formerly known as NetScaler Gateway)and Citrix
SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These
vulnerabilities,if exploited,could result in the following security issues:
+-------------+--------------------+-------------------+-------------+----------------------+
|CVE ID |Description |Vulnerability Type |Affected |Pre-conditions |
| | | |Products | |
+-------------+--------------------+-------------------+-------------+----------------------+
|CVE-2020-8245|An HTML Injection |CWE-79: Improper |Citrix ADC, |Requires an |
| |attack against the |Neutralization of |Citrix |authenticated victim |
| |SSL VPN web portal |Input During Web |Gateway |on the SSL VPN web |
| | |Page Generation | |portal who must open |
| | | | |an attacker-controlled|
| | | | |link in the browser |
+-------------+--------------------+-------------------+-------------+----------------------+
|CVE-2020-8246|A denial of service |CWE-400: |Citrix ADC, |Unauthenticated |
| |attack originating |Uncontrolled |Citrix |attacker with access |
| |from the management |Resource |Gateway, |to the management |
| |network |Consumption |Citrix SDWAN |network |
| | | |WAN-OP | |
+-------------+--------------------+-------------------+-------------+----------------------+
|CVE-2020-8247|Escalation of |CWE-269: Improper |Citrix ADC, |An attacker must |
| |privileges on the |Privilege |Citrix |possess privilege to |
| |management interface|Management |Gateway, |execute arbitrary |
| | | |Citrix SDWAN |commands on the |
| | | |WAN-OP |management interface |
+-------------+--------------------+-------------------+-------------+----------------------+
The vulnerabilitiesare addressed inthe followingsupported versions:
o Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
o Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
o Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
o Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
o Citrix SD-WAN WANOP 11.2.1a and later releases
o Citrix SD-WAN WANOP 11.1.2a and later releases
o Citrix SD-WAN WANOP 11.0.3f and later releases
o Citrix SD-WAN WANOP 10.2.7b and later releases
Customers should note that Citrix ADC and Citrix Gateway 12.0, which has
reached End of Maintenance, isimpactedby these vulnerabilities. Citrix
recommends that customers using this version upgrade to a later version that
addresses these issues.
Additionally, security enhancements to help protect customers against HTTP
Request Smuggling attacks have been added to the above versions of Citrix ADC,
Citrix Gateway, and Citrix SD-WAN WANOP. Customers may enable these
enhancements using the Citrix ADC management interface. Please see https://
support.citrix.com/article/CTX282268 for more information.
Mitigating Factors
Two of the three vulnerabilities originate in the management interface of
Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix strongly recommends
that network traffic to the appliance's management interface is separated,
either physically or logically, from normal network traffic. Doing so greatly
diminishes risk of exploitation. Please see https://docs.citrix.com/en-us/
citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html for more
information.
What Customers Should Do
Fixed builds have been released for supported versions of Citrix ADC, Citrix
Gateway, and Citrix SD-WAN WANOP. Citrix recommends that affected customers
install these updates as soon as their patching schedule permits.
The latest builds can be downloaded from https://www.citrix.com/downloads/
citrix-adc/ , https://www.citrix.com/downloads/citrix-gateway/ and https://
www.citrix.com/downloads/citrix-sd-wan/
Acknowledgements
Citrix would like to thank Knud of F-Secure, Arsenii Pustovit of Adversary
Emulation team (Royal Bank of Canada), Moritz Bechler of SySS GmbH, Johan
Georges from Wisearc Advisors in Sweden, Vasilis Maritsas of EY Consulting,
Juan David Ordonez Noriega, member of RedTeam CSIETE and Ricardo Iramar Dos
Santos for working with us to protect Citrix customers.
Changelog
+-------------------+---------------------------------------------------------+
|Date |Change |
+-------------------+---------------------------------------------------------+
|2020-09-17 |Initial Publication |
+-------------------+---------------------------------------------------------+
|2020-09-18 |Clarification on version 12.0 |
+-------------------+---------------------------------------------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX2gAeONLKJtyKPYoAQijvRAApsuI8kcVYnXzNkBGgD29Te7ywGkpMSAv
S4xmNhzOTHvtFLkgcp6O9MHR/YIZmOaUZ6sLWsaavKdUjc3f6EX1eY16Vjt6j4JP
Z/q2UsL/PUlk1PTqsyz6ORGNunz27kS2AD31JxetoWcBHPSgSF/q3oJ4SppSsp3R
Y6R9ErisVusRhlbCDjAhunduP/lI5dy/2lVdsnsGtKLoe2gf3XzUYVvYwQ6yAjwx
Db7YmVG2buUaKU87/wiHTBIAROtGn5zwHNn60K2VtxQK6UYqHyuVRoBccM+8q/Bb
FglOfwCAxr/tn1xHkRUi0j5+ebtrMEMoq1d93+K7SvSAbeHbJHs5BYhW15XUzd0o
3fNNc2So+MK59PYsLV61PjGm8LIWWP4zArkPR8PGTD6Jo4IGnkxJD3tce0GJYnk/
e57OMzvOVALRElA1TljzIdETMzNW5ln9gJvPXXVusNbbeJMalOeC6S2SXPRZ2o4n
35meR9YEY08oWWPqojn5UdFk21M+hCtYhri/zchSqeHct4hQZ6cZDY40+gEATO8u
wWg42FKQlZ1z0OA5YBIKzvOlHYBAvYCxtFGfHys1JBNPiU77+1WXJvtT/4H2/JaW
YgS4sU9rd8RhTBNww+9rUTYp4DnQSKmXhZ+UszyvKBBwfHWzNlDSXilkxRiFgYrc
VnuwhSPY6XY=
=mqZv
-----END PGP SIGNATURE-----