This issue has been addressed in the following versions of Citrix Secure Access client for Ubuntu:
23.5.2 and later releases
Citrix recommends that customers who are affected by the above vulnerability upgrade the Citrix Secure Access client for Ubuntu installed on their endpoints by taking the following actions as soon as possible:
If Citrix Secure Access client for Ubuntu is distributed via the SSL VPN upgrade control feature of Citrix ADC or Citrix Gateway:
Check the versions of Citrix Secure Access client for Ubuntu that are being distributed by each Citrix ADC or Citrix Gateway instance. This can be done by viewing the file located at /var/netscaler/gui/vpn/scripts/linux/clientversions.xml. If it is a vulnerable version, customers must:
Citrix thanks Rilke Petrosky of F2TC Cyber Security for working with us to protect Citrix customers.
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.
Subscribe to Receive Alerts
Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.
Disclaimer
This document is provided on an «as is» basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.
This issue has been addressed in the following versions of the Citrix Secure Access client for Windows:
23.5.1.3 and later releases
Citrix recommends that customers who are affected by the above vulnerability upgrade the Citrix Secure Access client for Windows installed on their endpoints by taking the following actions as soon as possible:
If Citrix Secure Access client for Windows is distributed via the SSL VPN upgrade control feature of Citrix ADC or Citrix Gateway:
Check the versions of the Citrix Secure Access client for Windows that are being distributed by each Citrix ADC or Citrix Gateway instance. This can be done using either GUI (instructions at: https://www.citrix.com/downloads/citrix-gateway/plug-ins/citrix-secure-access-client-for-windows.html) or by viewing the file located at /var/netscaler/gui/vpn/pluginlist.xml. If it is a vulnerable version, customers must:
Citrix has identified an isolated issue in which some customers experienced a crash condition after upgrading to the current build with HTTP/2 enabled.
What Product is Affected?
NetScaler appliance upgraded to version NS13.1 Build 45.63 or NS13.0 Build 90.11
*No other versions are impacted by this HTTP/2 issue.
Is there a workaround or fix?
Workaround: Disable http2 in the HTTP profile bound to the virtual server.
Fix: Engineering is working on a code fix and will update the ETA of the next build as soon as possible.
How to verify if http2 is enabled?
Run the following command from the CLI and verify if http2Direct Is reported as enabled.
> show run | grep http2
Example of output if enabled:
> set ns httpProfile <name of httpprofile> -http2 ENABLED -http2Direct ENABLED
Example of output if not enabled:
> set ns httpProfile <name of httpprofile> -http2 DISABLED -http2Direct DISABLED
How to disable http2 if enabled?
> set ns httpProfile <name of the httpprofile> -http2 DISABLED -http2Direct DISABLED
Citrix published on May, 9th a new Security Bulletin for NetScaler ADC and Netscaler Gateway. The severity is rated as medium. AXACOM is recommending to upgrade the NetScaler ADCs and Gateways in the next few days according to the Citrix CTX477714.
Please monitor as well the Citrix CTX article under the following link:
Vulnerabilities have been discovered in Citrix ADC and Citrix Gateway listed below, that, if exploited, could result in the following security issues:
Impacted Products, Versions and Components
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61
Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35
Citrix ADC 12.1-FIPS before 12.1-55.296
Citrix ADC 12.1-NDcPP before 12.1-55.296
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
CVE ID
Description
Pre-requisites
CWE
CVSS
CVE-2023-24488
Cross site scripting
Appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
Citrix ADC and Citrix Gateway 13.1-45.61 and later releases
Citrix ADC and Citrix Gateway 13.0-90.11 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-65.35 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.296 and later releases of 12.1-FIPS
Citrix ADC 13.1-FIPS 13.1-37.150 and later releases of 13.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.296 and later releases of 12.1-NDcPP
Wie Sie sicher schon gehört haben wurde die Citrix privatisiert (von der Börse entfernt) und in die neue Firma Cloud Software Group integriert. (https://www.cloud.com )
Citrix (Virtual Apps und Desktop, Citrix Daas Cloud), NetScaler, ShareFile und auch XenServer werden als eigene Business Group geführt.
Citrix hat in den letzten Jahren diverse On Prem Produkt Lizenzen in Cloud oder in ein Subscription Model geändert.
Hier werden wir Sie laufend über die Änderungen bei der Citrix Lizenzierung informieren:
Netscaler:
Alle Netscaler Hardware und Software (VPX) können nur noch bis am 03.03.2023 als gekaufte Version bestellt werden!
Danach gelten folgende Neuerungen:
Bei Hardware Modellen wird die Hardware und die Maintenance separat gekauft.
Die Lizenzen werden im Subscription Model (fixe Laufzeit) mit Bandbreite und Version gekauft.
Bei allen Modellen (Hardware und VPX) gibt es keine Standard Version mehr.
Virtuelle Netscaler (VPX) gibt es nur noch ab 200 Mbit Durchsatz und auch nur noch im Subscription Model.
Wenn Sie noch 10, 50 Mbit und auch noch Standard benötigen, können Sie diese über uns im CSP (Mietmodel) beziehen.
Alle bestehenden gekauften Netscaler, Hardware wie auch Software, können auch nach dem 03.03.2023 verlängert werden. Ein Update auf eine andere Version oder Bandbreite ist dann jedoch nicht mehr möglich!
Citrix Virtual Apps und Desktop:
Letzte Woche hat Citrix ein Mail an alle Kunden gesendet:
Retiring Perpetual Licensing – Convert to New Citrix Universal Subscription!
Mit dieser Lizenz ist es möglich eine Citrix Umgebung in der Cloud oder auch On Prem zu betreiben.
Kunden mit mehr als 1000 Benutzer können ihre gekauften On Prem Lizenzen nicht mehr verlängern und müssen in ein Subscription Model wechseln. Am Besten auf die neue Universal Subscription Lizenz.
Mit Vorbehalt:
Alle Kunden unter 1000 Lizenzen können ihre Lizenzen auch nach dem 03.03.2023 verlängern.
Wenn sie danach neue zusätzliche Lizenzen brauchen geht das nur über eine Subscription Lizenz. (fixe Laufzeit)
Für Kunden, die jetzt schon im Subscription Model sind, ändert sich nichts.
Citrix erhöht die Preise Ende März für alle Maintenance Kunden. ~10% Darum macht es vielleicht Sinn die bestehenden Lizenzen bis am 03.03.2023 noch für ein bis drei Jahre zu verlängern.
Bitte melden Sie sich bei uns wenn Sie Fragen zur Lizenzierung haben oder ein Angebot wünschen: Maurizio.Mantovani oder Ruedi.lendenmann
Citrix Auto-Renewal:
Wenn die Maintenance nicht durch uns oder einen anderen Reseller verlängert wird, erstellt Citrix automatisch eine Quote und sendet diese an eine im Portal hinterlegte Mailadresse! Wenn Sie darauf nicht reagieren, wird die Lizenz automatisch verlängert und es wird eine Rechnung versendet.
Bitte deaktivieren Sie das Auto-Renewal wie folgt:
Damit Sie ein Ticket bei Citrix eröffnen können, braucht es eine aktive Maintenance und der Lizenz Server muss auf der neusten Version sein: (Der Lic Server braucht Internet Zugang) Required License Server Update (citrix.com)
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
The vulnerability has been given the following identifier:
CVE ID
Description
Vulnerability Type
Pre-conditions
CVE-2023-24483
Privilege Escalation to NT AUTHORITY\SYSTEM on the vulnerable VDA
CWE-269: Improper Privilege Management
Local access to a Windows VDA as a standard Windows user
The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops:
Current Release (CR)
Citrix Virtual Apps and Desktops versions before 2212
Long Term Service Release (LTSR)
Citrix Virtual Apps and Desktops 2203 LTSR before CU2
Citrix Virtual Apps and Desktops 1912 LTSR before CU6
In addition, customers using Citrix Virtual Apps and Desktops Service using any of the vulnerable versions of Citrix Virtual Apps and Desktops Windows VDA are affected and need to take action.
Vulnerabilities have been identified that, collectively, allow a standard Windows user to perform operations as SYSTEM on the computer running Citrix Workspace app.
These vulnerabilities have the following identifiers:
CVE ID
Description
Vulnerability Type
Pre-conditions
CVE-2023-24484
A malicious user can cause log files to be written to a directory that they do not have permission to write to.
CWE-284: Improper Access Control
Local user access to a system where a vulnerable version of Citrix Workspace App for Windows is later installed or uninstalled by a SYSTEM process (e.g. SCCM).
CVE-2023-24485
Privilege Escalation on the system running a vulnerable version of Citrix Workspace app for Windows
CWE-284: Improper Access Control
Local user access to a system at the time a vulnerable version of Citrix Workspace App for Windows is being installed or uninstalled by an Administrator or SYSTEM process (e.g. SCCM).
The vulnerability affects the following supported versions of Citrix Workspace App for Windows:
Citrix Workspace App versions before 2212
Citrix Workspace App 2203 LTSR before CU2
Citrix Workspace App 1912 LTSR before CU7 Hotfix 2 (19.12.7002)
