A vulnerability has been identified in the management interface of the Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition appliances. This vulnerability, if exploited, could allow an attacker with access to the management interface of the applianceβs NetScaler ADC instance to gain administrative access to the instance.
This vulnerability has been assigned the following CVE number:
This vulnerability affects the following combinations of Citrix NetScaler SD-WAN/Cloudbridge hardware and software:
In order to exploit this vulnerability, an attacker would require access to the management interface of the applianceβs NetScaler ADC instance. In situations where customers have deployed their appliances in line with industry best practice, network access to this interface should already be restricted.
This vulnerability has been addressed in the following software versions:
Citrix strongly recommends that customers using vulnerable combinations of hardware and software upgrade their appliances to a version of the software that contains a fix for this issue as soon as possible.
These versions are available on the Citrix website at the following address:
<https://www.citrix.com/downloads/netscaler-sd-wan/>
In line with general best practice, Citrix also recommends that customers limit access to the management interfaces of the NetScaler SD-WAN appliances to trusted network traffic only.
Citrix thanks Frank Gifford of NCC Group (<https://nccgroup.trust>) for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 β Reporting Security Issues to Citrix
Date | Change |
---|---|
26th September 2017 | Initial publishing |
27th September 2017 | Update to What Customers Should Do section |
15th August 2019 | Updated Title |