9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.0%
A vulnerability has been identified in the management interface of Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an attacker with access to the management interface to gain administrative access to the appliance.
This vulnerability has been assigned the following CVE number:
This vulnerability affects the following product versions:
In order to exploit this vulnerability, an attacker would require access to the management interface of the Citrix ADC. In situations where customers have deployed their Citrix ADC and Citrix Gateway appliances in line with industry best practice, network access to this interface should already be restricted.
If the customer has previously changed the default internal user account or RPC node password in accordance with the guidelines in the Secure Deployment Guide, then this issue does not impact their deployment.
This vulnerability has been addressed in the following versions of Citrix ADC and Citrix Gateway:
Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix ADC or Citrix Gateway that contains a fix for this issue as soon as possible.
These versions are available on the Citrix website at the following addresses:
<https://www.citrix.com/downloads/citrix-adc/>
<https://www.citrix.com/downloads/citrix-gateway/>
Customers may also choose to change the default internal user account or RPC node password as a workaround for this vulnerability. Please note that this change may affect existing HA, Cluster, or GSLB configuration on the deployment. Configuration instructions can be found in the steps included under “Internal user account or RPC node password” in the section titled “Change the default passwords” in the following secure deployment guide.
In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted traffic only. Citrix has published additional guidance on the secure configuration of the management interfaces. This can be found at the following location:
<https://support.citrix.com/article/CTX228148>
Citrix thanks Marc-André Labonté of Desjardins for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Date | Change |
---|---|
17th October 2019 | Initial Publishing |
17th October 2019 | Added Acknowledgement & Clarification on Affected Builds |
18th October 2019 | Added Clarification on RPC node password |
21st October 2019 | CVE ID assigned |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.0%