In a breath of fresh air for this week, software vendor Citrix released patches for 11 vulnerabilities, quickly applying the lesson learned six months ago and not wanting a repeat with malicious hackers looking for ways to exploit the vulnerability.
Citrix Chief Information Security Officer, Fermin J. Serna released a bulletin on Tuesday, July 7, which covered a set of vulnerabilities in Citrix’s products— Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs.
Serna took the opportunity to explain the following points as it relates to CTX276688.
- The latest patches fully resolve all the issues.
- Of the 11 vulnerabilities, there are six possible attack routes; five of those have barriers to exploitation.
- We are not aware of any exploitation of these issues.
- And finally, these vulnerabilities are not related to CVE-2019-19781.
Barriers to Exploitation
There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.
Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk.
Further, while I am not discounting the risk of privilege escalation, two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.
While these barriers reduce the risk of these vulnerabilities, Citrix strongly recommends quick application of the supplied patches.
To help our customers and the industry understand these vulnerabilities, I have included a brief summary of the vulnerabilities, the affected products, and the attack vector in the table form below. The security bulletin and CVEs provide much greater detail and should be used for technical guidance.
There is no technical link between CVE-2019-19781 and CTX276688. Further, with CVE-2019-19781, we took the unusual step of publishing temporary mitigations in December, with subsequent permanent patches being available in January 2020. We took that step because of a high likelihood an exploit was “in the wild” and temporary mitigations gave our customers a chance to protect themselves. That is in stark contrast to the current situation: with the vulnerabilities in CTX276688, at the time of this publication, we know of no malicious exploits and have published patches that fully resolve the issues.
Citrix SD-WAN WANOP
Customers on Citrix SD-WAN WANOP should also pay heed to the advisory just released as ADC is a component within the SD-WAN WANOP deployment. Fixes are available at https://www.citrix.com/downloads/citrix-sd-wan/
Protecting Our Customers
We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors.
Related, we have added staff to our technical support call centers and are prepared to assist our customers. We’ve built and tested our patches to high standards, both to ensure effectiveness but also with the ease of implementation in mind.
Bottom line: patches are available, and we encourage our customers to apply them to reduce risk.
You can use Citrix ADM Service for simplified and bulk upgrade of all your Citrix ADC instances. Please refer to this documentation to learn more. Citrix ADM Service is a SaaS solution available on Citrix Cloud to help manage, monitor, analyze, and troubleshoot your global hybrid multi-cloud application delivery infrastructure from a single touchpoint. It helps with faster time to value and brings in operational efficiency. Here is a video to help get you onboarded to Citrix ADM Service. You can also view our documentation here.
Also of note, we remain committed to incorporating feedback from our customers and adapting our communication and customer support offerings as needed.
As noted in this blog, we recently updated our vulnerability processes, and we published those updates on the Citrix Trust Center website. These updates include enhancements in our processes around international standard ISO/IEC 29147:2018; an opportunity to apply for pre-notification of security bulletins; and the Hall of Fame honoring those third parties that work collaboratively and responsibly with us to improve the security of our products.
|CVE ID||Vulnerability Type||Affected Products||Attacker Privileges||Pre-conditions|
|CVE-2019-18177||Information disclosure||Citrix ADC, Citrix Gateway||Authenticated VPN user||Requires a configured SSL VPN endpoint|
|CVE-2020-8187||Denial of service||Citrix ADC, Citrix Gateway 12.0 and 11.1 only||Unauthenticated remote user||Requires a configured SSL VPN or AAA endpoint|
|CVE-2020-8190||Local elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit|
|CVE-2020-8191||Reflected Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must open an attacker-controlled link in the browser while being on a network with connectivity to the NSIP|
|CVE-2020-8193||Authorization bypass||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated user with access to the NSIP||Attacker must be able to access the NSIP|
|CVE-2020-8194||Code Injection||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must download and execute a malicious binary from the NSIP|
|CVE-2020-8195||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Authenticated user on the NSIP||–|
|CVE-2020-8196||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Authenticated user on the NSIP||–|
|CVE-2020-8197||Elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||–|
|CVE-2020-8198||Stored Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP||Unauthenticated remote user||Requires a victim who must be logged in as an administrator (nsroot) on the NSIP|
|CVE-2020-8199||Local elevation of privileges||Citrix Gateway Plug-in for Linux||Local user on the Linux computer running Citrix Gateway Plug-in||A pre-installed version of Citrix Gateway Plug-in for Linux must be running|