Citrix Multiple High Risk Vulnerability Alert
Recently, Citrix officially released multiple security vulnerability risk announcements in the Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP components. Vulnerability impact is high risk.
Citrix Systems Inc. / CC BY (https://creativecommons.org/licenses/by/3.0)
There are multiple security issues in Citrix products. Attackers can send special request packets to cause the following effects: download arbitrary files or upload arbitrary files or implement cross-site scripting attacks or implement a denial of service attacks or obtain sensitive information or authentication bypass or code injection or privilege elevation.
Vulnerability details
Citrix products use PHP to provide web services, and there are multiple errors in their PHP code that lead to the following vulnerabilities.
| CVE-ID | Vulnerability detail |
|---|---|
| CVE-2019-18177 | Information leakage |
| CVE-2020-8187 | Privilege Elevation |
| CVE-2020-8190 | Privilege Elevation |
| CVE-2020-8191 | Cross-site scripting |
| CVE-2020-8193 | Certification bypass |
| CVE-2020-8194 | Code injection |
| CVE-2020-8195 | Information leakage |
| CVE-2020-8196 | Information leakage |
| CVE-2020-8197 | Privilege Elevation |
| CVE-2020-8198 | Cross-site scripting attack |
| CVE-2020-8199 | Privilege Elevation |
Affect version
- Citrix ADC and Citrix Gateway: < 13.0-58.30
- Citrix ADC and NetScaler Gateway: < 12.1-57.18
- Citrix ADC and NetScaler Gateway: < 12.0-63.21
- Citrix ADC and NetScaler Gateway: < 11.1-64.14
- NetScaler ADC and NetScaler Gateway: < 10.5-70.18
- Citrix SD-WAN WANOP: < 11.1.1a
- Citrix SD-WAN WANOP: < 11.0.3d
- Citrix SD-WAN WANOP: < 10.2.7
- Citrix Gateway Plug-in for Linux: < 1.0.0.137
Unaffected version
- Citrix ADC and Citrix Gateway: 13.0-58.30
- Citrix ADC and NetScaler Gateway: 12.1-57.18
- Citrix ADC and NetScaler Gateway:12.0-63.21
- Citrix ADC and NetScaler Gateway:11.1-64.14
- NetScaler ADC and NetScaler Gateway:10.5-70.18
- Citrix SD-WAN WANOP: 11.1.1a
- Citrix SD-WAN WANOP: 11.0.3d
- Citrix SD-WAN WANOP: 10.2.7
- Citrix Gateway Plug-in for Linux: 1.0.0.137
Solution
In this regard, we recommend that the users promptly upgrade Citrix series products to the specified version in accordance with the repair recommendations.
