Today Citrix published a security bulletin covering a set of vulnerabilities in our networking products — Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs. In this case, however, to avoid confusion and limit the potential for misinterpretation in the industry and our customer set, I am using this space to provide brief additional context.

As it relates to CTX276688, here are five important points to understand:

  • The latest patches fully resolve all the issues.
  • Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation.
  • We are not aware of any exploitation of these issues.
  • Citrix-managed Gateway service is not affected.
  • And finally, these vulnerabilities are not related to CVE-2019-19781.

Barriers to Exploitation

There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.

Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk.

Further, while I am not discounting the risk of privilege escalation, two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.

While these barriers reduce the risk of these vulnerabilities, Citrix strongly recommends quick application of the supplied patches.

To help our customers and the industry understand these vulnerabilities, I have included a brief summary of the vulnerabilities, the affected products and the attack vector in table form below. The security bulletin and CVEs provide much greater detail and should be used for technical guidance.

CVE-2019-19781

There is no technical link between CVE-2019-19781 and CTX276688. Further, with CVE-2019-19781, we took the unusual step of publishing temporary mitigations in December, with subsequent permanent patches being available in January 2020. We took that step because of a high likelihood an exploit was “in the wild” and temporary mitigations gave our customers a chance to protect themselves. That is in stark contrast to the current situation: with the vulnerabilities in CTX276688, at the time of this publication, we know of no malicious exploits and have published patches that fully resolve the issues.

Citrix SD-WAN WANOP

Customers on Citrix SD-WAN WANOP should also pay heed to the advisory just released as ADC is a component within the SD-WAN WANOP deployment. Fixes are available at https://www.citrix.com/downloads/citrix-sd-wan/

Protecting Our Customers

We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors.

Related, we have added staff to our technical support call centers and are prepared to assist our customers. We’ve built and tested our patches to high standards, both to ensure effectiveness but also with ease of implementation in mind.

Bottom line: patches are available, and we encourage our customers to apply them to reduce risk.

You can use Citrix ADM Service for simplified and bulk upgrade of all your Citrix ADC instances. Please refer to this documentation to learn more. Citrix ADM Service is a SaaS solution available on Citrix Cloud to help manage, monitor, analyze, and troubleshoot your global hybrid multi-cloud application delivery infrastructure from a single touch point. It helps with faster time to value and brings in operational efficiency. Here is a video to help get you onboarded to Citrix ADM Service. You can also view our documentation here.

Also of note, we remain committed to incorporating feedback from our customers and adapting our communication and customer support offerings as needed.

As noted in this blog, we recently updated our vulnerability processes, and we published those updates on the Citrix Trust Center website.  These updates include enhancements in our processes around international standard ISO/IEC 29147:2018; an opportunity to apply for pre-notification of security bulletins; and the Hall of Fame honoring those third parties that work collaboratively and responsibly with us to improve the security of our products.

CVE ID Vulnerability Type Affected Products Attacker Privileges Pre-conditions
CVE-2019-18177 Information disclosure Citrix ADC, Citrix Gateway Authenticated VPN user Requires a configured SSL VPN endpoint
CVE-2020-8187 Denial of service Citrix ADC, Citrix Gateway 12.0 and 11.1 only Unauthenticated remote user Requires a configured SSL VPN or AAA endpoint
CVE-2020-8190 Local elevation of privileges Citrix ADC, Citrix Gateway Authenticated user on the NSIP This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit
CVE-2020-8191 Reflected Cross Site Scripting (XSS) Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Unauthenticated remote user Requires a victim who must open an attacker-controlled link in the browser while being on a network with connectivity to the NSIP
CVE-2020-8193 Authorization bypass Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Unauthenticated user with access to the NSIP Attacker must be able to access the NSIP
CVE-2020-8194 Code Injection Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Unauthenticated remote user Requires a victim who must download and execute a malicious binary from the NSIP
CVE-2020-8195 Information disclosure Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Authenticated user on the NSIP
CVE-2020-8196 Information disclosure Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Authenticated user on the NSIP
CVE-2020-8197 Elevation of privileges Citrix ADC, Citrix Gateway Authenticated user on the NSIP
CVE-2020-8198 Stored Cross Site Scripting (XSS) Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP Unauthenticated remote user Requires a victim who must be logged in as an administrator (nsroot) on the NSIP
CVE-2020-8199 Local elevation of privileges Citrix Gateway Plug-in for Linux Local user on the Linux computer running Citrix Gateway Plug-in A pre-installed version of Citrix Gateway Plug-in for Linux must be running