This report is about a series of vulnerabilities within various Citrix products including Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP. These vulnerabilities are an excellent opportunity for bad actors to gain a foothold in the environment. A security update has been issued by the vendor with some of the technical details being withheld. The associated risk of these vulnerabilities ranges from 6.1 to 8.8.
Here is a list of the CVE (Common Vulnerabilities and Exposures):
The Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP vulnerabilities range from the exploitation of the management interface to attacking the VPN software platform. A list of the vulnerabilities and a short description of them can be found below.
|CVE ID||Vulnerability Type||Affected Products||Attacker Privileges||Pre-Conditions|
|CVE-2019-18177||Information disclosure||Citrix ADC, Citrix Gateway||Authenticated VPN user||Requires a configured SSL VPN endpoint|
|CVE-2020-8187||Denial of service||Citrix ADC, Citrix Gateway 12.0, and 11.1 only||Unauthenticated remote user||Requires a configured SSL VPN or AAA endpoint|
|CVE-2020-8190||Local elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit|
|CVE-2020-8191||Reflected Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Unauthenticated remote user||Requires a victim who must open an attacker-controlled link in the browser whilst being on a network with connectivity to the NSIP|
|CVE-2020-8193||Authorization bypass||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Unauthenticated user with access to the NSIP||Attacker must be able to access the NSIP|
|CVE-2020-8194||Code Injection||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Unauthenticated remote user||Requires a victim who must download and execute a malicious binary from the NSIP|
|CVE-2020-8195||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Authenticated user on the NSIP||-|
|CVE-2020-8196||Information disclosure||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Authenticated user on the NSIP||-|
|CVE-2020-8197||Elevation of privileges||Citrix ADC, Citrix Gateway||Authenticated user on the NSIP||-|
|CVE-2020-8198||Stored Cross Site Scripting (XSS)||Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP||Unauthenticated remote user||Requires a victim who must be logged in as an administrator (nsroot) on the NSIP|
|CVE-2020-8199||Local elevation of privileges||Citrix Gateway Plug-in for Linux||Local user on the Linux computer running Citrix Gateway Plug-in||A pre-installed version of Citrix Gateway Plug-in for Linux must be running|
The NetScaler ADC, NetScaler Gateway, and SD-WAN WANOP vulnerabilities could allow a bad actor to pivot via lateral movement in a myriad of ways.
CVE-2020-8194 and CVE-2020-8191 could allow a bad actor the opportunity to deliver malicious payloads like CobaltStrike or Meterpreter laden binary. Such binaries would allow for beaconing or a shell for bad actors to engage in reconnaissance operations in the environment.
If exploited successfully, the vulnerabilities can also allow for probing of the Citrix infrastructure in the environment. Security researchers have seen bots scanning the Internet for vulnerable hosts.
These Citrix vulnerabilities could affect your systems in the following ways:
We encourage you to implement the patches provided by the vendor immediately. According to Citrix, the following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!