Citrix has released patches for 11 vulnerabilities in several of its popular products, including the Citrix ADC and Gateway, some of which can be used to bypass authorization to inject code under certain circumstances.
The vulnerabilities affect several Citrix products across the company’s line and range from a relatively low-risk local elevation of privilege flaw to more serious code injection and cross-site scripting weaknesses. Fortunately, there are a number of mitigating factors for several of the vulnerabilities that make possible exploitation more difficult. Though many of the new vulnerabilities affect the Citrix Application Delivery Controller (ADC), they’re not connected to the much more serious directory traversal flaw (CVE-2019-19781) in that product that Citrix patched earlier this year. And unlike with that previous vulnerability, there is not any known exploit activity against the bugs Citrix disclosed today.
The new set of vulnerabilities only affect physical versions of the Citrix products and not cloud versions. The most serious result of an exploit against one of the vulnerabilities is that an attacker could become an authenticated user on the target appliance.
“There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue,” Fermin Serna, CISO of Citrix, wrote in an explanation of the effects of the flaws.
“Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk. Further, while I am not discounting the risk of privilege escalation, two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.”
The products affected by the 11 new vulnerabilities include the Citrix ADC, Citrix Gateway, and several models of the Citrix SD-WAN WANOP appliances. Citrix is not disclosing most of the technical details of the vulnerabilities or patches in order to limit potential exploitation by attackers who monitor patch releases for possible new targets.
“Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Serna said.