Service Notices

All Notices > Security Notices > Multiple High-Risk Vulnerabilities in Citrix Products

Multiple High-Risk Vulnerabilities in Citrix Products

Jul 15, 2020 GMT+08:00

I. Overview

In a recent security update of Citrix, multiple vulnerabilities have been disclosed, involving Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Attackers can exploit these vulnerabilities to bypass permission verification, inject code, leak sensitive information, and implement privilege escalation.

If you are a Citrix user, check your applications and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://support.citrix.com/article/CTX276688

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Citrix ADC and Citrix Gateway versions earlier than 13.0-58.30

Citrix ADC and NetScaler Gateway versions earlier than 12.1-57.18

Citrix ADC and NetScaler Gateway versions earlier than 12.0-63.21

Citrix ADC and NetScaler Gateway versions earlier than 11.1-64.14

NetScaler ADC and NetScaler Gateway versions earlier than 10.5-70.18

Citrix SD-WAN WANOP versions earlier than 11.1.1a

Citrix SD-WAN WANOP versions earlier than 11.0.3d

Citrix SD-WAN WANOP versions earlier than 10.2.7

Citrix Gateway Plug-in for Linux versions earlier than  1.0.0.137

Secure versions:

Citrix ADC and Citrix Gateway 13.0-58.30 and later versions

Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 versions

Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 versions

Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 versions

NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 versions

Citrix SD-WAN WANOP 11.1.1a and later 11.1 versions

Citrix SD-WAN WANOP 11.0.3d and later 11.0 versions

Citrix SD-WAN WANOP 10.2.7 and later 10.2 versions

Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions

IV. Vulnerability Handling

Fixed builds have been released for all supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. If your application is affected, upgrade it to a secure version.

Citrix ADC download link: https://www.citrix.com/downloads/citrix-adc/

Citrix Gateway download link: https://www.citrix.com/downloads/citrix-gateway/

Citrix SD-WAN download link: https://www.citrix.com/downloads/citrix-sd-wan/

If you are unable to immediately update to a secure version, make sure that access to the management interface is restricted. For more information, see

https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html

If you use Citrix Gateway plug-in for Linux, log in to the updated version of Citrix Gateway and select Network VPN mode. Then, you will be prompted to update.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.