Today Citrix published a security bulletin covering a set of vulnerabilities in their networking products — Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs. In this case, however, to avoid confusion and limit the potential for misinterpretation in the industry and our customer set, I am using this space to provide brief additional context.
As it relates to CTX276688, here are five important points to understand:
- The latest patches fully resolve all the issues.
- Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation.
- We are not aware of any exploitation of these issues.
- Cloud versions of our networking products are not vulnerable.
- And finally, these vulnerabilities are not related to CVE-2019-19781.
All Fixes Now Available for Citrix Networking Vulnerabilities
In addition to announcing the vulnerabilities, all patches are available to fully resolve these issues. While some, but not all, of these vulnerabilities have barriers for exploitation, you are encouraged to review all your ADC and SD-WAN WANOP estate and to apply the supplied patches as soon as possible.
For the following networking products:
- Citrix ADC
- Citrix Gateway
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO
Barriers to Exploitation
There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.
Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk.