Citrix hat heute ein neues Security Bulletin veröffentlicht. Es gibt zwei neue Schwachstellen in allen NetScaler Versionen, welche eine Denial of Service Attacke ermöglichen. Eine der Schwachstellen wurde mit dem Status «Critical» versehen, da sie sich ohne Authentifizierung vom Internet aus ausnutzen lässt.
CVE-ID
Description
CWE
Affected Products
Pre-conditions
Criticality
CVE-2021-22955
Unauthenticated denial of service
CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway
Appliance must be configured as a VPN (Gateway) or AAA virtual server
Critical
CVE-2021-22956
Temporary disruption of the Management GUI, Nitro API and RPC communication
Das Update von Firmware Versionen kleiner, oder gleich 12.1.59.x, bzw. 13.0.64.35 führt dazu, dass der SSO für viele Anwendungen nicht mehr funktioniert. Vor dem Update sollte daher unbedingt folgender Citrix eDocs Artikel gelesen werden: Enable SSO for Basic, Digest, and NTLM authentication (citrix.com)
In NetScaler 13.1.4.43 sind Classic Policies nicht mehr supportet. Vor einem Update auf 13.1.x sollte daher unbedingt eine vorherige Überprüfung der NetScaler Konfiguration durchgeführt werden, s. Classic Policy Deprecation FAQs
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2020-8299
Network-based denial-of-service from within the same Layer 2 network segment
CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP
The attacker machine must be in the same Layer 2 network segment as the vulnerable appliance
The following supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP are affected by CVE-2020-8299:
Citrix ADC and Citrix Gateway 13.0 before 13.0-76.29
Citrix ADC and Citrix Gateway 12.1 before 12.1-61.18
Citrix ADC and NetScaler Gateway 11.1 before 65.20
Citrix ADC 12.1-FIPS before 12.1-55.238
Citrix SD-WAN WANOP 11.4 before 11.4.0
Citrix SD-WAN WANOP 11.3 before 11.3.2
Citrix SD-WAN WANOP 11.3 before 11.3.1a
Citrix SD-WAN WANOP 11.2 before 11.2.3a
Citrix SD-WAN WANOP 11.1 before 11.1.2c
Citrix SD-WAN WANOP 10.2 before 10.2.9a
What Customers Should Do
The following supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP address CVE-2020-8299, a Medium severity vulnerability.
Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4
Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3
Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3
Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2
Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1
Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2
AXACOM encourage all customer with SAML authentication to have a close look at CVE-2020-8300 and implement the described measures to fix the issue, as soon as possible.
Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2020-8300
SAML authentication hijack through a phishing attack to steal a valid user session
CWE-284: Improper access control
Citrix ADC, Citrix Gateway
Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2020-8300:
Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
Citrix ADC 12.1-FIPS before 12.1-55.238
What Customers Should Do
The following supported versions of Citrix ADC and Citrix Gateway address CVE-2020-8300, a High severity vulnerability.
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Das Update von Firmware Versionen kleiner, oder gleich 12.1.59.x, bzw. 13.0.64.35 führt dazu, dass der SSO für viele Anwendungen nicht mehr funktioniert. Vor dem Update sollte daher unbedingt folgender Citrix eDocs Artikel gelesen werden: Enable SSO for Basic, Digest, and NTLM authentication (citrix.com)
Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root.
These vulnerabilities have the following identifiers:
CVE
Description
Vulnerability Type
Pre-conditions
CVE-2020-8271
Unauthenticated remote code execution with root privileges
CWE-23: Path Traversal
An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN
CVE-2020-8272
Authentication Bypass resulting in exposure of SD-WAN functionality
CWE-287: Improper Authentication
An attacker must be able to communicate with SD-WAN Center’s Management IP/FQDN
CVE-2020-8273
Privilege escalation of an authenticated user to root
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‹OS Command Injection›)
The attacker must be an authenticated user on SD-WAN Center
The following supported versions of Citrix SD-WAN Center are affected by these issues:
Citrix SD-WAN 11.2 before 11.2.2
Citrix SD-WAN 11.1 before 11.1.2b
Citrix SD-WAN 10.2 before 10.2.8
Other versions are now End of Life and no longer supported.
Mitigating Factors
Citrix SD-WAN Center is an internal management platform for Citrix SD-WAN and access to Citrix SD-WAN Center is likely to be restricted.
What Customers Should Do
The issues have been addressed in the following versions of Citrix SD-WAN Center:
Citrix SD-WAN 11.2.2 and later versions of Citrix SD-WAN 11.2
Citrix SD-WAN 11.1.2b and later versions of Citrix SD-WAN 11.1
Citrix SD-WAN 10.2.8 and later versions of Citrix SD-WAN 10.2
Affected customers are strongly recommended to immediately update their deployments.
Citrix would like to thank Ariel Tempelhof of Realmode Labs for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html
