Today, Citrix released a group of vulnerabilities that cover Citrix ADC (formerly known as Citrix NetScaler), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WanOp appliances. These vulnerabilities, if exploited, could result in a number of security issues. Versions of Citrix ADC, Citrix Gateway, and Citrix SDWAN WanOp affected include:
– NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases.
– Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases.
– Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases.
– Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases.
– Citrix ADC and Citrix Gateway 13.0-58.30 and later releases.
– Citrix SD-WAN WANOP 11.1.1a and later releases.
– Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases.
– Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases.
– Citrix Gateway Plug-in for Linux 188.8.131.52 and later versions.
Thankfully, these vulnerabilities do not rise to the levels of those Citrix released last December. Customers who have configured their systems in accordance with Citrix recommendations (in https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html) have significantly reduced their risk from attacks to the management interface. Other good news compared to the December vulnerability is that patches already exist. You should ensure you have the latest firmware applied to your devices. Also, the Citrix Cloud versions of the products do not contain these vulnerabilities.
You can find the details of the security bulletin here: https://support.citrix.com/article/CTX276688
Citrix has released a good blog that explains each of the items and what risks you would have here: https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
How Conversant Group Can Help
We are standing ready to assist with applying any remediations required. Please reach out to us to request we review ADC/Gateway/WANOP to confirm whether you are vulnerable. We will report findings and recommended next steps.