Service Notices
Multiple High-Risk Vulnerabilities in Citrix Products
Jul 15, 2020 GMT+08:00
I. Overview
In a recent security update of Citrix, multiple vulnerabilities have been disclosed, involving Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Attackers can exploit these vulnerabilities to bypass permission verification, inject code, leak sensitive information, and implement privilege escalation.
If you are a Citrix user, check your applications and implement timely security hardening.
For more information about this vulnerability, visit the following website:
https://support.citrix.com/article/CTX276688
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Citrix ADC and Citrix Gateway versions earlier than 13.0-58.30
Citrix ADC and NetScaler Gateway versions earlier than 12.1-57.18
Citrix ADC and NetScaler Gateway versions earlier than 12.0-63.21
Citrix ADC and NetScaler Gateway versions earlier than 11.1-64.14
NetScaler ADC and NetScaler Gateway versions earlier than 10.5-70.18
Citrix SD-WAN WANOP versions earlier than 11.1.1a
Citrix SD-WAN WANOP versions earlier than 11.0.3d
Citrix SD-WAN WANOP versions earlier than 10.2.7
Citrix Gateway Plug-in for Linux versions earlier than 1.0.0.137
Secure versions:
Citrix ADC and Citrix Gateway 13.0-58.30 and later versions
Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 versions
Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 versions
Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 versions
NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 versions
Citrix SD-WAN WANOP 11.1.1a and later 11.1 versions
Citrix SD-WAN WANOP 11.0.3d and later 11.0 versions
Citrix SD-WAN WANOP 10.2.7 and later 10.2 versions
Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
IV. Vulnerability Handling
Fixed builds have been released for all supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. If your application is affected, upgrade it to a secure version.
Citrix ADC download link: https://www.citrix.com/downloads/citrix-adc/
Citrix Gateway download link: https://www.citrix.com/downloads/citrix-gateway/
Citrix SD-WAN download link: https://www.citrix.com/downloads/citrix-sd-wan/
If you are unable to immediately update to a secure version, make sure that access to the management interface is restricted. For more information, see
https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html
If you use Citrix Gateway plug-in for Linux, log in to the updated version of Citrix Gateway and select Network VPN mode. Then, you will be prompted to update.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.