Avertium Blog

Citrix Vulnerabilities: NetScaler ADC, NetScaler Gateway and SD-WAN WANOP

Written by Marketing | Jul 13, 2020 3:27:26 PM

Citrix Vulnerabilities Overview

This report is about a series of vulnerabilities within various Citrix products including Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP. These vulnerabilities are an excellent opportunity for bad actors to gain a foothold in the environment. A security update has been issued by the vendor with some of the technical details being withheld. The associated risk of these vulnerabilities ranges from 6.1 to 8.8.

Here is a list of the CVE (Common Vulnerabilities and Exposures):

  • CVE-2020-8197
  • CVE-2020-8199
  • CVE-2020-8190
  • CVE-2020-8194
  • CVE-2020-8187
  • CVE-2020-8193
  • CVE-2020-8195
  • CVE-2019-18177
  • CVE-2020-8196
  • CVE-2020-8198
  • CVE-2020-8191
 

Tactics, Techniques, and Procedures for Exploiting the Citrix Vulnerabilities

The Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP vulnerabilities range from the exploitation of the management interface to attacking the VPN software platform. A list of the vulnerabilities and a short description of them can be found below.

CVE ID Vulnerability Type Affected Products Attacker Privileges Pre-Conditions
CVE-2019-18177 Information disclosure   Citrix ADC, Citrix Gateway  Authenticated VPN user Requires a configured SSL VPN endpoint
CVE-2020-8187 Denial of service  Citrix ADC, Citrix Gateway 12.0, and 11.1 only Unauthenticated remote user Requires a configured SSL VPN or AAA endpoint
CVE-2020-8190 Local elevation of privileges  Citrix ADC, Citrix Gateway  Authenticated user on the NSIP This issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit
CVE-2020-8191 Reflected Cross Site Scripting (XSS)  Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Unauthenticated remote user Requires a victim who must open an attacker-controlled link in the browser whilst being on a network with connectivity to the NSIP
CVE-2020-8193 Authorization bypass  Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Unauthenticated user with access to the NSIP Attacker must be able to access the NSIP
CVE-2020-8194 Code Injection Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Unauthenticated remote user  Requires a victim who must download and execute a malicious binary from the NSIP
CVE-2020-8195 Information disclosure  Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Authenticated user on the NSIP
CVE-2020-8196 Information disclosure  Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Authenticated user on the NSIP
CVE-2020-8197 Elevation of privileges  Citrix ADC, Citrix Gateway  Authenticated user on the NSIP
CVE-2020-8198 Stored Cross Site Scripting (XSS)  Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP  Unauthenticated remote user  Requires a victim who must be logged in as an administrator (nsroot) on the NSIP
CVE-2020-8199 Local elevation of privileges  Citrix Gateway Plug-in for Linux  Local user on the Linux computer running Citrix Gateway Plug-in A pre-installed version of Citrix Gateway Plug-in for Linux must be running

The NetScaler ADC, NetScaler Gateway, and SD-WAN WANOP vulnerabilities could allow a bad actor to pivot via lateral movement in a myriad of ways.

CVE-2020-8194 and CVE-2020-8191 could allow a bad actor the opportunity to deliver malicious payloads like CobaltStrike or Meterpreter laden binary. Such binaries would allow for beaconing or a shell for bad actors to engage in reconnaissance operations in the environment.

If exploited successfully, the vulnerabilities can also allow for probing of the Citrix infrastructure in the environment. Security researchers have seen bots scanning the Internet for vulnerable hosts.

What This Means to You

These Citrix vulnerabilities could affect your systems in the following ways:

  • May lead to a successful compromise of the Citrix infrastructure in the network.
  • Could result in the compromise of computers in the network.
  • May allow for reconnaissance and intelligence operations on the network architecture.

What You Should Do About these Citrix Vulnerabilities

We encourage you to implement the patches provided by the vendor immediately. According to Citrix, the following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities: 

  • Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
  • Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
  • Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
  • Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
  • NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
  • Citrix SD-WAN WANOP 11.1.1a and later releases
  • Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
  • Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
  • Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions
 

Sources and Helpful Resources

Patch Information

MITRE Mapping(s)

Additional Useful Information

https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!