Trouble comes in threes

Citrix has patched multiple network security vulnerabilities

A horrible week for sysadmins has been capped by the discovery of multiple vulnerabilities in networking security products from Citrix.

Citrix yesterday issued patches for 11 security bugs affecting its Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition networking products.

The flaws are comparable to recently disclosed vulnerabilities in enterprise-grade networking security appliances from Palo Alto and F5’s BIG-IP application delivery controller, the latter of which has become the target of active attack over recent days.

The latest Citrix flaws are similar – but less severe – to an earlier vulnerability in Citrix ADC (CVE-2019-19781), which became a vector for Ragnarok ransomware attacks.

Impact assessment

The impact of successful exploitation of the flaws addressed by Citrix this week might involve either temporary denial-of-service (i.e. crashing devices), information disclosure, local privilege elevation, or potentially worse.

System compromise by an unauthenticated user on the management network or through cross- site scripting (XSS) on the management interface are also possible, Citrix admits.

The network giant argues that, in practice, a potential attacker would have to overcome various barriers in order to have any chance of mounting a successful attack.

Simply following Citrix’s recommended installation advice considerably lowers the scope for mischief.

READ MORE F5 customers urged to patch systems as critical BIG-IP flaw is actively exploited

Citrix said none of the latest flaws have become the target for exploitation, adding that it has patched all 11 issues.

A summary of the potential impact of these various flaws can be found in an advisory from Citrix. A separate security bulletin from the vendor provides update advice.

Citrix ADC and Citrix Gateway were formerly known as NetScaler ADC and NetScaler Gateway, respectively.

YOU MIGHT ALSO LIKE Exploit developed for critical Palo Alto authentication flaw