Citrix Multiple High Risk Vulnerability Alert

Recently, Citrix officially released multiple security vulnerability risk announcements in the Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP components. Vulnerability impact is high risk.

Citrix Systems Inc. / CC BY (https://creativecommons.org/licenses/by/3.0)

There are multiple security issues in Citrix products. Attackers can send special request packets to cause the following effects: download arbitrary files or upload arbitrary files or implement cross-site scripting attacks or implement a denial of service attacks or obtain sensitive information or authentication bypass or code injection or privilege elevation.

Vulnerability details

Citrix products use PHP to provide web services, and there are multiple errors in their PHP code that lead to the following vulnerabilities.
CVE-ID Vulnerability detail
CVE-2019-18177 Information leakage
CVE-2020-8187 Privilege Elevation
CVE-2020-8190 Privilege Elevation
CVE-2020-8191 Cross-site scripting 
CVE-2020-8193 Certification bypass
CVE-2020-8194 Code injection
CVE-2020-8195 Information leakage
CVE-2020-8196 Information leakage
CVE-2020-8197 Privilege Elevation
CVE-2020-8198 Cross-site scripting attack
CVE-2020-8199 Privilege Elevation

Affect version

  • Citrix ADC and Citrix Gateway: < 13.0-58.30
  • Citrix ADC and NetScaler Gateway: < 12.1-57.18
  • Citrix ADC and NetScaler Gateway: < 12.0-63.21
  • Citrix ADC and NetScaler Gateway: < 11.1-64.14
  • NetScaler ADC and NetScaler Gateway: < 10.5-70.18
  • Citrix SD-WAN WANOP: < 11.1.1a
  • Citrix SD-WAN WANOP: < 11.0.3d
  • Citrix SD-WAN WANOP: < 10.2.7
  • Citrix Gateway Plug-in for Linux: <  1.0.0.137

Unaffected version

  • Citrix ADC and Citrix Gateway: 13.0-58.30
  • Citrix ADC and NetScaler Gateway: 12.1-57.18
  • Citrix ADC and NetScaler Gateway:12.0-63.21
  • Citrix ADC and NetScaler Gateway:11.1-64.14
  • NetScaler ADC and NetScaler Gateway:10.5-70.18
  • Citrix SD-WAN WANOP: 11.1.1a
  • Citrix SD-WAN WANOP: 11.0.3d
  • Citrix SD-WAN WANOP: 10.2.7
  • Citrix Gateway Plug-in for Linux: 1.0.0.137

Solution

In this regard, we recommend that the users promptly upgrade Citrix series products to the specified version in accordance with the repair recommendations.