AXACOM encourage all customer with SAML authentication to have a close look at CVE-2020-8300 and implement the described measures to fix the issue, as soon as possible.
Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2020-8300
SAML authentication hijack through a phishing attack to steal a valid user session
CWE-284: Improper access control
Citrix ADC, Citrix Gateway
Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2020-8300:
Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
Citrix ADC 12.1-FIPS before 12.1-55.238
What Customers Should Do
The following supported versions of Citrix ADC and Citrix Gateway address CVE-2020-8300, a High severity vulnerability.
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Das Update von Firmware Versionen kleiner, oder gleich 12.1.59.x, bzw. 13.0.64.35 führt dazu, dass der SSO für viele Anwendungen nicht mehr funktioniert. Vor dem Update sollte daher unbedingt folgender Citrix eDocs Artikel gelesen werden: Enable SSO for Basic, Digest, and NTLM authentication (citrix.com)
Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root.
These vulnerabilities have the following identifiers:
CVE
Description
Vulnerability Type
Pre-conditions
CVE-2020-8271
Unauthenticated remote code execution with root privileges
CWE-23: Path Traversal
An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN
CVE-2020-8272
Authentication Bypass resulting in exposure of SD-WAN functionality
CWE-287: Improper Authentication
An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN
CVE-2020-8273
Privilege escalation of an authenticated user to root
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‹OS Command Injection›)
The attacker must be an authenticated user on SD-WAN Center
The following supported versions of Citrix SD-WAN Center are affected by these issues:
Citrix SD-WAN 11.2 before 11.2.2
Citrix SD-WAN 11.1 before 11.1.2b
Citrix SD-WAN 10.2 before 10.2.8
Other versions are now End of Life and no longer supported.
Mitigating Factors
Citrix SD-WAN Center is an internal management platform for Citrix SD-WAN and access to Citrix SD-WAN Center is likely to be restricted.
What Customers Should Do
The issues have been addressed in the following versions of Citrix SD-WAN Center:
Citrix SD-WAN 11.2.2 and later versions of Citrix SD-WAN 11.2
Citrix SD-WAN 11.1.2b and later versions of Citrix SD-WAN 11.1
Citrix SD-WAN 10.2.8 and later versions of Citrix SD-WAN 10.2
Affected customers are strongly recommended to immediately update their deployments.
Citrix would like to thank Ariel Tempelhof of Realmode Labs for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html
Vulnerabilities have been identified in Citrix Virtual Apps and Desktops that could, if exploited, result in:
A user who has access to a Windows Virtual Desktop being able to escalate their privilege level on that Windows Virtual Desktop to SYSTEM.
Remote compromise of a Windows Virtual Desktop which has Windows file sharing (SMB) enabled.
These vulnerabilities have the following identifiers:
CVE ID
Description
Vulnerability Type
Pre-conditions
CVE-2020-8269
An unprivileged Windows user on the VDA can perform arbitrary command execution as SYSTEM
CWE-269: Improper Privilege Management
The attacker must be an authenticated user on the Windows VDA with write access to the C:\ directory
CVE-2020-8270
An unprivileged Windows user on the VDA or a SMB user can perform arbitrary command execution as SYSTEM
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‹OS Command Injection›)
The attacker must be an authenticated user on the Windows VDA or be authenticated to Windows SMB service running on the VDA
The vulnerabilities affect the following supported versions of Citrix Virtual Apps and Desktops:
Citrix Virtual Apps and Desktops 2006 and earlier versions
Citrix Virtual Apps and Desktops 1912 LTSR CU1 and earlier versions of 1912 LTSR
Citrix XenApp / XenDesktop 7.15 LTSR CU6 and earlier versions of 7.15 LTSR
Citrix XenApp / XenDesktop 7.6 LTSR CU8 and earlier versions of 7.6 LTSR
Please note that Citrix XenApp / XenDesktop 7.6 LTSR is not affected by CVE-2020-8270.
Mitigating Factors
CVE-2020-8269 – This issue is only exploitable if low-privilege users have been granted permission to write files to the C:\ directory. This permission is not default in Windows and Citrix recommends that users are only granted the permissions they require.
CVE-2020-8270 – A remote compromise is only possible when Windows file sharing (SMB) is enabled on the Windows Virtual Desktop. If authentication is required for SMB then an attacker must also be able to authenticate in order to remotely compromise the Virtual Desktop.
What Customers Should Do
The issues have been addressed in the following versions of Citrix Virtual Apps and Desktops:
Citrix Virtual Apps and Desktops 2009 or later
Citrix Virtual Apps and Desktops 1912 LTSR CU1 hotfixes CTX285870, CTX285871, CTX285872 and CTX286120, and later cumulative updates
Citrix XenApp / XenDesktop 7.15 LTSR CU6 hotfixes CTX285341, CTX285342 and CTX285344, and later cumulative updates
Citrix XenApp / XenDesktop 7.6 LTSR CU9 and later cumulative updates
Citrix strongly recommends that customers upgrade to a fixed version as soon as possible.
The latest versions of Citrix Virtual Apps and Desktops are available from the following location:
Hotfixes to address the issues in Citrix Virtual Apps and Desktops 1912 LTSR and Citrix XenApp / XenDesktop 7.15 LTSR can be downloaded from the following locations:
Customers should ensure they have installed the latest cumulative update and then apply all hotfixes for that version.
Acknowledgements
Citrix would like to thank Hannay Al-Mohanna of F-Secure Consulting and Michael Garrison of State Farm Information Security for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM.
The vulnerabilities have the following identifiers:
CVE-2020-8257
CVE-2020-8258
These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows before 64.35
Citrix Gateway Plug-in 12.1 for Windows before 59.16
These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms.
Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported.
The following supported versions of Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway:
Citrix ADC and Citrix Gateway 13.0 before 64.35
NetScaler ADC and NetScaler Gateway 12.1 before 59.16
Citrix ADC 12.1-FIPS before 55.190
The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows 64.35 and later versions
Citrix Gateway Plug-in 12.1 for Windows 59.16 and later versions
The latest versions of Citrix Gateway Plug-in for Windows are available from:
