A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.
This vulnerability has been assigned the following CVE number:
This vulnerability affects the following product versions:
In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.
These versions are available on the Citrix website at the following addresses:
<https://www.citrix.com/downloads/netscaler-adc/>
<https://www.citrix.com/downloads/netscaler-gateway/>
In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted traffic only. Citrix has published additional guidance on the secure configuration of NetScaler management interfaces. This can be found at the following location:
<https://support.citrix.com/article/CTX228148>
Important:
If you are upgrading an MPX FIPS device that has FIPS firmware 2.2 please note that NetScaler version 10.5 does not support FIPS firmware 2.2. You can upgrade to versions 11.0, 11.1 or 12.0 currently available for download. Please refer to <https://docs.citrix.com/en-us/netscaler/12/ssl/fips/update-fipscard-firmware-version_2_2.html> for additional details and validation of FIPS firmware.
Citrix thanks Frank Gifford of NCC Group (<https://nccgroup.trust>) for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Date | Change |
---|---|
25th September 2017 | Initial publishing |
26th September 2017 | Update to What Customers Should Do section |
6th October 2017 | Update to What Customers Should Do section |