Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products

Citrix yesterday issued new security patches for as many as 11 security flaws that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products.

Successful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the authentication virtual servers.

Citrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers.

Among the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

The networking vendor also reiterated that these vulnerabilities were not connected to a previously fixed zero-day NetScaler flaw (tagged as CVE-2019-19781) that allowed bad actors to perform arbitrary code execution even without proper authentication.

It also said there’s no evidence the newly disclosed flaws are exploited in the wild and that barriers to exploitation of these flaws are high.

“Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation,” Citrix’s CISO Fermin Serna said. “Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.”

Although Citrix has refrained from publishing technical details of the vulnerabilities citing malicious actors’ efforts to leverage the patches and the information to reverse engineer exploits, attacks on the management interface of the products could result in system compromise by an unauthenticated user, or through Cross-Site Scripting (XSS) on the management interface.

An adversary could also create a download link for a vulnerable device, which could result in the compromise of a local computer upon execution by an unauthenticated user on the management network.

A second class of attacks concerns virtual IPs (VIPs), permitting an attacker to mount DoS against the Gateway or remotely scan the ports of the internal network.

“Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,” Citrix noted in its advisory.

In addition, a separate vulnerability in Citrix Gateway Plug-in for Linux (CVE-2020-8199) would grant a local logged-on user of a Linux system to elevate their privileges to an administrator account on that system.

According to a Positive Technologies report last December, the traffic management and secure remote access applications are used by over 80,000 organizations across the world.

It’s recommended that download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.