Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3517 Citrix Gateway Plug-in for Windows Security Update 14 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Gateway Plug-in for Windows Citrix ADC Citrix Gateway NetScaler ADC NetScaler Gateway Publisher: Citrix Operating System: Windows Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-8258 CVE-2020-8257 Original Bulletin: https://support.citrix.com/article/CTX282684 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Gateway Plug-in for Windows Security Update Reference: CTX282684 Category : High Created : 13 Oct 2020 Modified : 13 Oct 2020 Applicable Products o Citrix ADC o Citrix Gateway o NetScaler Gateway Description of Problem Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM. The vulnerabilities have the following identifiers: o CVE-2020-8257 o CVE-2020-8258 These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows: Customers with Citrix ADC or Citrix Gateway: o Citrix Gateway Plug-in 13.0 for Windows before 64.35 o Citrix Gateway Plug-in 12.1 for Windows before 59.16 Customers with Citrix ADC 12.1-FIPS: o Citrix Gateway Plug-in 12.1 for Windows before 55.190 These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms. Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported. The following supported versions of Citrix ADC(formerly known as NetScaler ADC) and Citrix Gateway(formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway: o Citrix ADC and Citrix Gateway 13.0 before 64.35 o NetScaler ADC and NetScaler Gateway 12.1 before 59.16 o Citrix ADC 12.1-FIPS before 55.190 What Customers Should Do Citrix strongly recommends that: customers with Citrix Gateway and customers using the SSL VPN component of Citrix ADC upgrade to a version that includes and distributes a fixed version of Citrix Gateway Plug-in for Windows. AND customers with users who have a vulnerable version of Citrix Gateway Plug-in for Windows ensure they upgrade to a fixed version of Citrix Gateway Plug-in for Windows as soon as possible. This can be achieved when they log in to a supported version of Citrix ADC or Citrix Gateway or by installing a compatible fixed version from Citrix.com. The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows: Customers with Citrix ADC or Citrix Gateway: o Citrix Gateway Plug-in 13.0 for Windows 64.35 and later versions o Citrix Gateway Plug-in 12.1 for Windows 59.16 and later versions Customers with Citrix ADC 12.1-FIPS: o Citrix Gateway Plug-in 12.1 for Windows 55.190 and later versions The latest versions of Citrix Gateway Plug-in for Windows are available from: https://www.citrix.com/downloads/citrix-gateway/plug-ins/ Please note that versions of Citrix Gateway Plug-in which are compatible with Citrix ADC 12.1-FIPS are delivered directly from Citrix ADC 12.1-FIPS and are not available from Citrix.com. Fixed versions of Citrix Gateway Plug-in for Windows are included in the following versions of Citrix ADC and Citrix Gateway: o Citrix ADC and Citrix Gateway 13.0-64.35 and later releases o NetScaler ADC and NetScaler Gateway 12.1-59.16 and later releases o Citrix ADC 12.1-FIPS 55.190 and later releases The latest versions of Citrix ADC and Citrix Gateway are available from: https://www.citrix.com/downloads/citrix-adc/ https://www.citrix.com/downloads/citrix-gateway/ Acknowledgements Citrix would like to thank Chen Erlich of Cymptom (@chen_erlich) for working with us to protect Citrix customers. Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-10-13 |Initial Publication | +--------------------------+--------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4Z8MONLKJtyKPYoAQjlZQ/9EmsxJitCKDFaG1+zBtE40DK1OqV94SsD vlkQrNLPJwc0Vgo2H8wb6lwIsc0W2saulmm1FKvQNq11bGXb7qtW8DK98u2k91Dy 4mdN3S/TD7UuZcAU8O7fX94Bar7m4OLCZdANd12ebsyCfaT3W4Oo7M1EYNmE1vy+ rLIRiKMHFXMDsLl8/7fGJC2e5OrpPLIDhfx1sPeBGNGybd/nldBrTRmcZmTDTLCx lyOr76ku7oQuRnQoORK9uq8TyIdKAKZE+mQmOL6U2WnUjFQaBjk2vKWt38O5Ngb2 uRBHDqizQdBtt4Tld8pYQrelP22VBgLLZnmy3+YzCBJCGwVuWfSgqbXTiTl64NBE rklDTqo1KIkYMaBLDKhqXI+4JE470gi+hL449n4VdRErMYi8Gjrk3A8E84HseX1l yVPnzg/+cGIG2mxDye6E8RcsQ3wGfGCq5rXT439HUC7phkcUB6zgiXdmfD455xdY JhQEEbA7KPsllAqt0746MMWo1YrojazHNQy0oFtI/Fd8Mm5tDGk7S4uyxgeCaDGb qe6NO0SuC5HQVf3o39342Bv9SQf39eyt7dkI9yk9gG8yl0/7bWYjqE+3iyKF4XVW 34FmNfogQqHc3AMzcJQFa708bQ9SUz8BoHlSHpOKw1OW56rrAjJlD3fYOt0npsz9 fzYWVOpadZM= =REzZ -----END PGP SIGNATURE-----