CERT-In Vulnerability Note
CIVN-2020-0269
Multiple Vulnerabilities in Citrix
Original Issue Date:July 10, 2020
Severity Rating: HIGH
Component Affected
- Citrix ADC and Citrix Gateway prior to version13.0-58.30
- Citrix ADC and NetScaler Gateway prior to version 12.1-57.18
- Citrix ADC and NetScaler Gateway prior to version 12.0-63.21
- Citrix ADC and NetScaler Gateway prior to version 11.1-64.14
- NetScaler ADC and NetScaler Gateway prior to version 10.5-70.18
- Citrix SD-WAN WANOP 11.1.1a prior to version
- Citrix SD-WAN WANOP 11.0.3d prior to version
- Citrix SD-WAN WANOP 10.2.7 prior to version
- Citrix Gateway Plug-in for Linux prior to version 1.0.0.137
Overview
Multiple vulnerabilities have been reported in Citrix ADC (Application Delivery Controller), Citrix Gateway and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO which could allow an attacker to gain elevated privileges or cause denial of services (DoS),information disclosure, authorization bypass ,code injection and Cross Site Scripting on the targeted system.
Description
1. Information disclosure Vulnerability
(
CVE-2020-8196
CVE-2020-8195
)
A Vulnerability exists in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP that could allow a remote authenticated user to obtain sensitive information. An attacker could exploit this vulnerability by sending a crafted request to the targeted device. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and use this information to launch further attacks against the affected system.
2. Privilege elevation vulnerability
(
CVE-2020-8190
CVE-2020-8197
CVE-2020-8199
)
A Vulnerability exists in Citrix ADC, Citrix Gateway and Citrix Gateway Plug-in for Linux that could allow a local authenticated malicious user to gain elevated privileges on the system. An attacker could exploit this vulnerability by executing a specially-crafted program to the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain elevated privileges.
3. Cross Site Scripting vulnerability
(
CVE-2020-8191
CVE-2020-8198
)
A Vulnerability exists in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP due to improper validation of user-supplied input. This vulnerability could allow a remote attacker to gain user credentials. An attacker could exploit this vulnerability by executing a specially-crafted URL to execute script in a victims Web browser. Successful exploitation of this vulnerability could allow the attacker to steal the victims cookie-based authentication credentials.
4. Authorization bypass vulnerability
(
CVE-2020-8193
)
A Vulnerability exists in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP due to improper authentication validation. This vulnerability could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability by sending a specially-crafted request to the targeted device. Successful exploitation of this vulnerability could allow the attacker to bypass access restrictions.
5. Code Injection vulnerability
(
CVE-2020-8194
)
A Vulnerability exists in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP due to a code injection flaw. This vulnerability could allow a remote attacker to execute arbitrary code on the system. An attacker could exploit this vulnerability by persuading a victim to open a specially-crafted content on the targeted system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
Solution
Apply appropriate updates as mentioned in:
https://support.citrix.com/article/CTX276688
Vendor Information
CITRIX
https://support.citrix.com/article/CTX276688
References
CITRIX
https://support.citrix.com/article/CTX276688
CVE Name
CVE-2020-8196
CVE-2020-8195
CVE-2020-8190
CVE-2020-8197
CVE-2020-8199
CVE-2020-8191
CVE-2020-8198
CVE-2020-8193
CVE-2020-8194
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|