Tackling vulnerabilities to keep your business running

Citrix is committed to keeping its products and customers secure. Citrix strives to follow industry standards during all phases of the Secure Development Lifecycle (SDLC). As part of its SDLC program, Citrix has a robust Security Response Process that accepts vulnerability reports against Citrix products and services from external sources – customers and researchers alike.

Response process

The Citrix Security Response Team is a dedicated, global team that is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Citrix products.

In line with its commitment to adhere to international standard ISO/IEC 29147:2018, all issues reported to Citrix follow our vulnerability response process:

Receipt
Upon receiving a vulnerability report, Citrix will generate a unique case identifier and acknowledge receipt by the end of the next working day.

Triage
Citrix will investigate vulnerabilities in Citrix products and services from the date of release until End of Life. The investigation and verification of issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Throughout the investigative process, Citrix will work with the reporter to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results are delivered to the reporter along with a plan for resolution and public disclosure, if applicable.

Variant analysis
Citrix will perform an in-depth analysis to ensure that similar issues are identified and that any action taken will ultimately address the whole class of issues.

Resolution
The Citrix Security Response team will work with Citrix internal product development teams to address the issue. Timescales for releasing a fix vary according to complexity and severity. Citrix will provide updates to the researcher as and when there is progress with the vulnerability handling process related to the reported vulnerability.

Release
When a mitigation or software update is released, Citrix will provide remediation or mitigation information to users, typically in the form of a security bulletin and software patches or updates. If, during the course of the vulnerability handling process, Citrix identifies a vulnerability in a third-party product or service, we will endeavor to responsibly disclose this issue and coordinate our public releases.

Post release
Citrix will monitor feedback from users and, if necessary, will update remediation and mitigation information accordingly.

Vulnerability disclosure

At Citrix, we are committed to ensuring the security of our customers. We follow a holistic and comprehensive approach to secure our products, services, and assets, with a formalized process for handling reported security vulnerabilities.

To stay informed about security vulnerabilities, update your support notifications to receive future security bulletins by email or subscribe to the RSS feed.

Citrix uses third-party components within our products and, as part of Citrix commitment to customer security, incorporates relevant security improvements into Citrix software updates. Citrix therefore recommends customers always use the most recent release of a currently maintained version of Citrix software or firmware, to ensure they benefit from the latest security updates. Please see the Citrix product matrix for information on lifecycle of Citrix products.

If information is needed on the impact of a CVE on a Citrix product or service, please raise a support request through your normal Citrix support channel. Please include the Common Vulnerabilities and Exposures (CVE) reference (https://nvd.nist.gov) or the relevant security bulletin article number when submitting the request.

Citrix generally publishes security bulletins to provide remediation information about security vulnerabilities in customer-managed Citrix products which have been reported to Citrix through the vulnerability response program. Citrix may also publish security bulletins to inform customers of other important events affecting Citrix products, for example, if a critical third-party CVE impacts a Citrix product and has gathered significant public attention.

Citrix will usually publish a security bulletin once software patches or workarounds exist in all versions of a product that have not yet reached End of Maintenance. In limited circumstances, including where Citrix has observed active exploitation of a vulnerability or where public awareness of a vulnerability could lead to increased risk for Citrix customers, a security bulletin may be published before a complete set of patches or workarounds have been released so that we may alert customers and provide advice on how to mitigate the associated risks.

Citrix classifies security bulletins as Critical, High, Medium, Low, or Informational according to the risk that Citrix determines a vulnerability represents to our customers. Citrix will calculate the risk of a vulnerability considering the CVSS method, but may modify scoring to reflect specific circumstances including, but not limited to, complexity of exploitation and available mitigations. Citrix recommends that customers apply security fixes/patches as soon as possible following their release.

For the safety of all our customers, Citrix does not disclose technical details about the vulnerabilities beyond what is contained in the bulletin. If information about a Citrix security bulletin is needed, please raise a support request through your normal Citrix support channel. Please include the relevant Citrix security bulletin article number when submitting the request.

Citrix Security bulletins are published and disclosed to customers and the public simultaneously. However, Citrix provides an advanced notification of upcoming bulletins to a limited group of customers. 

When able to do so, Citrix will notify enrolled customers of an upcoming Security bulletin 1-2 weeks prior to the public release date, to aid them in the planning of update activities. The notification will contain the name of the affected product, affected version (major versions only), criticality of the vulnerability and expected date of release.

Pre-notification of upcoming Citrix Security bulletins is available to customers and partners that meet the following criteria: 

  • Be using customer-managed Citrix products  (i.e., not in Citrix Cloud)
  • Have a current Priority or Priority Plus support contract with Citrix 
  • Have a Citrix user base of 10,000 or more users OR be managing critical infrastructure. Examples of critical infrastructure include - 
    • Cloud platform providers 
    • Service platform provider 
    • Healthcare-based ISVs
    • Financial Services
    • Energy Sector
    • Government Departments
    • Transportation
  • Have NOT been previously disqualified from the pre-disclosure program

Customers wishing to be enrolled to the Pre-notification program should contact their Technical Account Manager (TAM) who will apply to join the pre-notification program on their behalf.

Please note that submission of a request does not guarantee admission into the pre-notification program. Requests are considered and approved at the sole discretion of Citrix. 

Hall of fame

Citrix would like to thank security researchers who have worked with us to secure Citrix products and services and, when permission is given, will acknowledge a reporter's contribution during the public disclosure of a vulnerability.

 

Name Company Date Reference

Julien Thomas

Protektoid project

Dec-20

CVE-2020-8274, CVE-2020-8275

Michael Garrison

State Farm Information Security

Nov-20

CVE-2020-8270

Hannay Al Mohanna

F-Secure

Nov-20

CVE-2020-8269

Ariel Tempelhof

Realmode Labs

Nov-20

CVE-2020-8271, CVE-2020-8272, CVE-2020-8273

Chen Erlich

Cymptom

Oct-20

CVE-2020-8257, CVE-2020-8258

Moritz Bechler

SySS GmbH

Sep-20

CVE-2020-8245

Knud

F-Secure

Sep-20

CVE-2020-8246

Arsenii Pustovit

Adversary Emulation team (Royal Bank of Canada) 

Sep-20

CVE-2020-8247

Johan Georges

Wisearc Advisors, Sweden

Sept-20

HTTP Request Smuggling

Vasilis Maritsas

EY Consulting

Sept-20

HTTP Request Smuggling

Juan David Ordoñez Noriega

RedTeam CSIETE

Sept-20

HTTP Request Smuggling

Ricardo Iramar Dos Santos

N/A

Sept-20

HTTP Request Smuggling

Harrison Neal

Patch Advisor

Sep-20

CVE-2020-8200

Andrey Medov

Positive Technologies

Aug-20

CVE-2020-8209

Glyn Wintle

Tradecraft

Aug-20

CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, CVE-2020-8212,

CVE-2020-8253

Kristian Bremberg

Detectify

Aug-20

CVE-2020-8208

Ceri Coburn

Pen Test Partners

Jul-20

CVE-2020-8207

Albert Shi

Univision Network (Shanghai) Co., Ltd

Jul-20

CVE-2020-8198

Maarten Boone

N/A

Jul-20

CVE-2020-8190

Donny Maasland

Unauthorized Access

Jul-20

CVE-2020-8191, CVE-2020-8193, CVE-2020-8194, CVE-2020-8195, CVE-2020-8196

Laurent Geyer

Akamai

Jul-20

CVE-2020-8197

Albert Shi

UVision

Jul-20

CVE-2020-8198

Viktor Dragomiretskyy

N/A

Jul-20

CVE-2020-8199

Muris Kurgas

Digital14

Jul-20

CVE-2019-18177

Daniel Jensen

N/A

Jun-20

CVE-2020-7473, CVE-2020-8982, CVE-2020-8983

Andrew Hess

N/A

Jun-20

CVE-2020-13884, CVE-2020-13885

Danske Bank Red-Team

Danske Bank

May-20

CVE-2020-8982, CVE-2020-8983

 

Name Company Date Reference

Vahagn Vardanyan

N/A

Aug-19

CVE-2019-13608

Mikhail Klyuchnikov

Positive Technologies

Dec-19

CVE-2019-19781

Gianlorenzo Cipparrone

Paddy Power Betfair plc

Dec-19

CVE-2019-19781

Miguel Gonzalez

Paddy Power Betfair plc

Dec-19

CVE-2019-19781

Marc-André Labonté

Desjardins

Oct-19

CVE-2019-18225

Ollie Whitehouse

NCC Group

May-19

CVE-2019-11634

Richard Warren

NCC Group

May-19

CVE-2019-11634

Martin Hill

NCC Group

May-19

CVE-2019-11634

Sergey Gordeychik

SD-WAN New Hope

Apr-19

CVE-2019-11550

Denis Kolegov

SD-WAN New Hope

Apr-19

CVE-2019-11550

Nikita Oleksov

SD-WAN New Hope

Apr-19

CVE-2019-11550

Jonas

Danske Bank

Apr-19

CVE-2019-18571

Vasile Revnic

N/A

Apr-19

CVE-2019-11345

Mark Du Plessis

N/A

Mar-19

CVE-2019-9548

Craig Young

Tripwire VERT

Jan-19

CVE-2019-6485

Janis Fliegenschmidt

Ruhr-Universität Bochum

Jan-19

CVE-2019-6485

Juraj Somorovsky

Ruhr-Universität Bochum

Jan-19

CVE-2019-6485

Nimrod Aviram

Tel Aviv University

Jan-19

CVE-2019-6485

Robert Merget

Ruhr-Universität Bochum

Jan-19

CVE-2019-6485