11 flaws in networking products Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP

The network penetration testing team from tech firm Citrix has just patched 11 different vulnerabilities detected in network products such as Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (4000-WO, 4100-WO, 5000-WO, and 5100-WO models). The vulnerabilities do not affect cloud deployments.

According to the report, this set of flaws is not related to CVE-2019-19781, a remote code execution vulnerability that was fixed in early 2019. Updates completely fix the most recently detected bugs, so users have been asked to install the patches as soon as possible.

Network penetration testing experts have not detected cases of active exploitation of any of these flaws, and also point out that exploiting 5 of these vulnerabilities is almost impossible: “There are impediments to the deployment of some of these attacks; on the other hand, clients without reliable network traffic might be exposed to denial of service (DoS) attacks,” the report says.

The full description of the flaws, in addition to the respective firmware updates, can be found on the Citrix website. Below is a list of each of the reported vulnerabilities:

  • CVE-2019-18177: Information disclosure vulnerability
  • CVE-2020-8187: Denial of service vulnerability
  • CVE-2020-8190: Local elevation of privileges
  • CVE-2020-8191: Cross-site scripting (XSS) flaw
  • CVE-2020-8193: Authorization bypass
  • CVE-2020-8194: Code injection
  • CVE-2020-8195: Information disclosure
  • CVE-2020-8196: Information disclosure
  • CVE-2020-8197: Elevation of privileges
  • CVE-2020-8198: Cross-site scripting (XSS) flaw
  • CVE-2020-8199: Local elevation of privileges

Network penetration testing experts mention that the affected products are:

  • Citrix ADC and Citrix Gateway 13.0-58.30 and later
  • Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1
  • Citrix ADC and NetScaler Gateway 12.0-63.21 and later versions 12.0
  • Citrix ADC and NetScaler Gateway 11.1-64.14 and later versions of version 11.1
  • NetScaler ADC and NetScaler Gateway 10.5-70.18 and later versions 10.5
  • Citrix SD-WAN WANOP 11.1.1ay later
  • Citrix SD-WAN WANOP 11.0.3d and later versions 11.0
  • Citrix SD-WAN WANOP 10.2.7 and later 10.2
  • Citrix Gateway Plug-in for Linux1.0.0.137 and later

Users of affected deployments should update as soon as possible to fully mitigate the risk of exploitation.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.