A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2022-27518
Unauthenticated remote arbitrary code execution
CWE-664: Improper Control of a Resource Through its Lifetime
Citrix Gateway, Citrix ADC
Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
Citrix ADC 12.1-FIPS before 12.1-55.291
Citrix ADC 12.1-NDcPP before 12.1-55.291
Citrix ADC and Citrix Gateway version 13.1 is unaffected.
What Customers Should Do
Exploits of this issue on unmitigated appliances in the wild have been reported. Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
Citrix ADC and Citrix Gateway 13.0-58.32 and later releases
Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP
Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.
A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website.
This vulnerability has the following identifier:
CVE-ID
Description
CWE
Pre-conditions
CVE-2022-27509
Unauthenticated redirection to a malicious website
CWE-345: Insufficient Verification of Data Authenticity
Appliance must be configured as a VPN (Gateway) or AAA virtual server A victim user must use an attacker-crafted link
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway 13.1 before 13.1-24.38
Citrix ADC and Citrix Gateway 13.0 before 13.0-86.17
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.15
Citrix ADC 12.1-FIPS before 12.1-55.282
Citrix ADC 12.1-NDcPP before 12.1-55.282
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.
What Customers Should Do
Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
Citrix ADC and Citrix Gateway 13.1-24.38 and later releases
Citrix ADC and Citrix Gateway 13.0-86.17 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-65.15 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.282 and later releases of 12.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.282 and later releases of 12.1-NDcPP
Wählen Sie dann den Puntk «Upcoming Auto-Renewals«
Suchen Sie das Angebot zur automatischen Verlängerung, das Sie stornieren möchten, und klicken Sie auf die entsprechenden Ellipsen (drei Punkte) auf dem Angebot, um eine Liste der Optionen anzuzeigen.
Um die anstehende automatische Verlängerung zu stornieren, wählen Sie die Option «Cancel auto-renewal«. Es wird ein Pop-up-Fenster angezeigt, das Sie darüber informiert, dass Sie eine automatische Verlängerung stornieren möchten, und Sie auffordert, eine Umfrage zur Stornierung auszufüllen. Die Umfrage ist erforderlich, um den Stornierungsvorgang abzuschliessen.
Klicken Sie auf «Go«. Dadurch werden Sie zu DOTI weitergeleitet, um die erforderliche Umfrage zur Stornierung und den Stornierungsvorgang abzuschließen.
Füllen Sie die Informationen in der Umfrage aus, markieren Sie das Kästchen «I Agree» und klicken Sie dann auf die Schaltfläche «Submit«, um den Stornierungsvorgang abzuschließen.
Nach der Übermittlung der Umfrage erhalten Sie in Citrix Mein Konto auf der Seite «Upcoming Auto-Renewals» eine Nachricht, die bestätigt, dass die automatische Verlängerung storniert wurde. o Die Dienste sind bis zum Ablaufdatum weiterhin verfügbar.
Der Status der automatischen Verlängerung ändert sich in «WITHDRAWN«.
Lizenzstatus Prüfen
Sie haben Fragen zu Ihren Lizenzen oder möchten den aktuellen Lizenzstatus überprüfen lassen? Wir helfen Ihnen gerne bei allen Fragen rund um die Citrix Lizenzierung weiter und prüfen Ihren aktuellen Status. Medlen Sie sich einfach bei uns per Mail oder Telefon.
Mehrere Schwachstellen wurden in Citrix ADC (früher bekannt als NetScaler ADC), Citrix Gateway (früher bekannt als NetScaler Gateway) und Citrix SD-WAN WANOP Appliance-Modelle 4000-WO, 4100-WO, 5000-WO und 5100-WO entdeckt. Diese Schwachstellen können, wenn sie ausgenutzt werden, zu den folgenden Sicherheitsproblemen führen:
CVE ID
Description
Vulnerability Type
Affected Products
Pre-conditions
CVE-2020-8245
An HTML Injection attack against the SSL VPN web portal
CWE-79: Improper Neutralization of Input During Web Page Generation
Citrix ADC, Citrix Gateway
Requires an authenticated victim on the SSL VPN web portal who must open an attacker-controlled link in the browser
CVE-2020-8246
A denial of service attack originating from the management network
CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP
Unauthenticated attacker with access to the management network
CVE-2020-8247
Escalation of privileges on the management interface
CWE-269: Improper Privilege Management
Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP
An attacker must possess privilege to execute arbitrary commands on the management interface
Die Schwachstellen werden in den folgenden unterstützten Versionen behoben:
Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
Citrix SD-WAN WANOP 11.2.1a and later releases
Citrix SD-WAN WANOP 11.1.2a and later releases
Citrix SD-WAN WANOP 11.0.3f and later releases
Citrix SD-WAN WANOP 10.2.7b and later releases
Zusätzlich wurden den oben genannten Versionen von Citrix ADC, Citrix Gateway und Citrix SD-WAN WANOP Sicherheitsverbesserungen hinzugefügt, um Kunden vor Angriffen durch HTTP Request Smuggling zu schützen. Kunden können diese Verbesserungen über die Verwaltungsschnittstelle von Citrix ADC aktivieren. Weitere Informationen finden Sie unter https://support.citrix.com/article/CTX282268.
Mildernde Faktoren
Zwei der drei Schwachstellen haben ihren Ursprung in der Verwaltungsschnittstelle von Citrix ADC, Citrix Gateway und Citrix SD-WAN WANOP. Citrix empfiehlt dringend, den Netzwerkverkehr zur Verwaltungsschnittstelle der Appliance entweder physisch oder logisch vom normalen Netzwerkverkehr zu trennen. Auf diese Weise wird das Risiko der Ausnutzung stark vermindert. Weitere Informationen finden Sie unter https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html.
Problemlösung
Installieren Sie so schnell wie möglich ein der veröffentlichten Updates.
Haben Sie Fragen oder benötigen Hilfe? Kontaktieren Sie uns, wir helfen Ihnen gerne weiter.
Solution
Citrix is aware of a potential issue impacting the Citrix Broker and Citrix HighAvailability services on the Delivery Controllers and Citrix Cloud Connectors respectively with Microsoft Defender installed. Please see the following article for best practices to configure Microsoft Windows Defender: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.
On-Premises Deployment
Microsoft has released an updated Antivirus Definition 1.321.1341.0 to address this issue.
Please follow the below steps to clear the current cache and trigger an update, use a batch script that runs the following commands as an administrator:
cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
If you continue to see the issue, please follow the below workarounds:
Workaround 1
The following steps can help restore the service:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix Broker Service, the Citrix High Availability Service and the Citrix Configuration Sync service.
Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html.
Reboot the Citrix Delivery Controller machine
Try the below steps if the above workaround does not resolve the issue.
Workaround 2
Mount the Citrix Virtual Apps and Desktop ISO.
Navigate to the «\x64\Citrix Desktop Delivery Controller» folder.
Right Click Broker_Service_x64.msi and choose Repair.4. During the Repair, add the BrokerService.exe and the HighAvailabilityService.exe to the exclusion list in Microsoft Windows Defender Pop-up wizard.
5. If Microsoft Windows Defender Wizard does not pop-up automatically during the BrokerService.exe Repair , then follow https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html. to add the exclusions manually.
Workaround 3
Disable/downgrade Microsoft Windows Defender Version.Refer to below Microsoft articles to add exclusions or roll back the update.
https://support.microsoft.com/en-in/help/4052623/update-for-microsoft-defender-antimalware-platform
Ensure Citrix Recommended AV exclusions are in place as per Citrix article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#antivirus-exclusions
Citrix Virtual Apps and Desktop Service
Workaround
Please follow the below steps on all Citrix Cloud Connector machines:
Restore the quarantined files from Windows Defender by following this article: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus
This includes the Citrix High Availability Service and the Citrix Configuration Sync service.
Change the Log On for these services to Network Service.
Apply the exclusion list described in the article: https://docs.citrix.com/en-us/tech-zone/build/tech-papers/antivirus-best-practices.html#cloud-connector
Reboot the Citrix Cloud Connector
Note: If the files for Citrix High Availability Service and the Citrix Configuration Sync service. are no longer present in Windows Defender Quarantined files, then uninstall and reinstall the Citrix Cloud connector.
Problem Cause
Microsoft Windows Defender is detecting Citrix Broker Service as well as H ighAvalabilityService.exe as Trojan and deleting them.
