Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2020-8299
Network-based denial-of-service from within the same Layer 2 network segment
CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP
The attacker machine must be in the same Layer 2 network segment as the vulnerable appliance
The following supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP are affected by CVE-2020-8299:
Citrix ADC and Citrix Gateway 13.0 before 13.0-76.29
Citrix ADC and Citrix Gateway 12.1 before 12.1-61.18
Citrix ADC and NetScaler Gateway 11.1 before 65.20
Citrix ADC 12.1-FIPS before 12.1-55.238
Citrix SD-WAN WANOP 11.4 before 11.4.0
Citrix SD-WAN WANOP 11.3 before 11.3.2
Citrix SD-WAN WANOP 11.3 before 11.3.1a
Citrix SD-WAN WANOP 11.2 before 11.2.3a
Citrix SD-WAN WANOP 11.1 before 11.1.2c
Citrix SD-WAN WANOP 10.2 before 10.2.9a
What Customers Should Do
The following supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP address CVE-2020-8299, a Medium severity vulnerability.
Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4
Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3
Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3
Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2
Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1
Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2
AXACOM encourage all customer with SAML authentication to have a close look at CVE-2020-8300 and implement the described measures to fix the issue, as soon as possible.
Description of Problem
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID
Description
CWE
Affected Products
Pre-conditions
CVE-2020-8300
SAML authentication hijack through a phishing attack to steal a valid user session
CWE-284: Improper access control
Citrix ADC, Citrix Gateway
Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP
The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2020-8300:
Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
Citrix ADC 12.1-FIPS before 12.1-55.238
What Customers Should Do
The following supported versions of Citrix ADC and Citrix Gateway address CVE-2020-8300, a High severity vulnerability.
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0
Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS
Das Update von Firmware Versionen kleiner, oder gleich 12.1.59.x, bzw. 13.0.64.35 führt dazu, dass der SSO für viele Anwendungen nicht mehr funktioniert. Vor dem Update sollte daher unbedingt folgender Citrix eDocs Artikel gelesen werden: Enable SSO for Basic, Digest, and NTLM authentication (citrix.com)
Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM.
The vulnerabilities have the following identifiers:
CVE-2020-8257
CVE-2020-8258
These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows before 64.35
Citrix Gateway Plug-in 12.1 for Windows before 59.16
These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms.
Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported.
The following supported versions of Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway:
Citrix ADC and Citrix Gateway 13.0 before 64.35
NetScaler ADC and NetScaler Gateway 12.1 before 59.16
Citrix ADC 12.1-FIPS before 55.190
The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Citrix Gateway Plug-in 13.0 for Windows 64.35 and later versions
Citrix Gateway Plug-in 12.1 for Windows 59.16 and later versions
The latest versions of Citrix Gateway Plug-in for Windows are available from:
