Citrix Vulnerabilities Overview
This report is about a series of vulnerabilities within various Citrix products including Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP. These vulnerabilities are an excellent opportunity for bad actors to gain a foothold in the environment. A security update has been issued by the vendor with some of the technical details being withheld. The associated risk of these vulnerabilities ranges from 6.1 to 8.8.
Here is a list of the CVE (Common Vulnerabilities and Exposures):
- CVE-2020-8197
- CVE-2020-8199
- CVE-2020-8190
- CVE-2020-8194
- CVE-2020-8187
- CVE-2020-8193
- CVE-2020-8195
- CVE-2019-18177
- CVE-2020-8196
- CVE-2020-8198
- CVE-2020-8191
Tactics, Techniques, and Procedures for Exploiting the Citrix Vulnerabilities
The Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP vulnerabilities range from the exploitation of the management interface to attacking the VPN software platform. A list of the vulnerabilities and a short description of them can be found below.
| CVE ID | Vulnerability Type | Affected Products | Attacker Privileges | Pre-Conditions |
|---|---|---|---|---|
| CVE-2019-18177 | Information disclosure | Citrix ADC, Citrix Gateway | Authenticated VPN user | Requires a configured SSL VPN endpoint |
| CVE-2020-8187 | Denial of service | Citrix ADC, Citrix Gateway 12.0, and 11.1 only | Unauthenticated remote user | Requires a configured SSL VPN or AAA endpoint |
| CVE-2020-8190 | Local elevation of privileges | Citrix ADC, Citrix Gateway | Authenticated user on the NSIP | This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit |
| CVE-2020-8191 | Reflected Cross Site Scripting (XSS) | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must open an attacker-controlled link in the browser whilst being on a network with connectivity to the NSIP |
| CVE-2020-8193 | Authorization bypass | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated user with access to the NSIP | Attacker must be able to access the NSIP |
| CVE-2020-8194 | Code Injection | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must download and execute a malicious binary from the NSIP |
| CVE-2020-8195 | Information disclosure | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Authenticated user on the NSIP | - |
| CVE-2020-8196 | Information disclosure | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Authenticated user on the NSIP | - |
| CVE-2020-8197 | Elevation of privileges | Citrix ADC, Citrix Gateway | Authenticated user on the NSIP | - |
| CVE-2020-8198 | Stored Cross Site Scripting (XSS) | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP | Unauthenticated remote user | Requires a victim who must be logged in as an administrator (nsroot) on the NSIP |
| CVE-2020-8199 | Local elevation of privileges | Citrix Gateway Plug-in for Linux | Local user on the Linux computer running Citrix Gateway Plug-in | A pre-installed version of Citrix Gateway Plug-in for Linux must be running |
The NetScaler ADC, NetScaler Gateway, and SD-WAN WANOP vulnerabilities could allow a bad actor to pivot via lateral movement in a myriad of ways.
CVE-2020-8194 and CVE-2020-8191 could allow a bad actor the opportunity to deliver malicious payloads like CobaltStrike or Meterpreter laden binary. Such binaries would allow for beaconing or a shell for bad actors to engage in reconnaissance operations in the environment.
If exploited successfully, the vulnerabilities can also allow for probing of the Citrix infrastructure in the environment. Security researchers have seen bots scanning the Internet for vulnerable hosts.
What This Means to You
These Citrix vulnerabilities could affect your systems in the following ways:
- May lead to a successful compromise of the Citrix infrastructure in the network.
- Could result in the compromise of computers in the network.
- May allow for reconnaissance and intelligence operations on the network architecture.
What You Should Do About these Citrix Vulnerabilities
We encourage you to implement the patches provided by the vendor immediately. According to Citrix, the following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities:
- Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
- Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
- Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
- Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
- NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
- Citrix SD-WAN WANOP 11.1.1a and later releases
- Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
- Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
- Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
Sources and Helpful Resources
- https://support.citrix.com/article/CTX276688
- https://exchange.xforce.ibmcloud.com/collection/Citrix-Vulnerabilities-Addressed-in-Latest-Security-Update-CTX276688-bd5072c10c31fd011f6f0012ec54070b
Patch Information
- https://www.citrix.com/downloads/citrix-adc/
- https://www.citrix.com/downloads/citrix-gateway/
- https://www.citrix.com/downloads/citrix-sd-wan/
MITRE Mapping(s)
- https://attack.mitre.org/tactics/TA0015/
- https://attack.mitre.org/tactics/TA0018/
- https://attack.mitre.org/tactics/TA0022/
Additional Useful Information
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!