Today Citrix published a security bulletin covering a set of vulnerabilities in their networking products — Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP edition. Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs. In this case, however, to avoid confusion and limit the potential for misinterpretation in the industry and our customer set, I am using this space to provide brief additional context.
In addition to announcing the vulnerabilities, all patches are available to fully resolve these issues. While some, but not all, of these vulnerabilities have barriers for exploitation, you are encouraged to review all your ADC and SD-WAN WANOP estate and to apply the supplied patches as soon as possible.
For the following networking products:
There are barriers to many of these attacks; in particular, for customers where there is no untrustworthy traffic on the management network, the remaining risk reduces to a denial-of-service attack. And in that case, only when Gateway or authentication virtual servers are being used. Other virtual servers, for example, load balancing and content switching virtual servers, are not affected by the issue.
Three of the six possible attacks in CTX276688 occur in the management interface of a vulnerable device. Systems deployed in line with Citrix recommendations will already have this interface separated from the network and protected by a firewall. That configuration greatly diminishes the risk.