Citrix Vulnerabilities: NetScaler ADC, NetScaler Gateway and SD-WAN WANOP

Avertium Threat Report
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Citrix Vulnerabilities Overview

This report is about a series of vulnerabilities within various Citrix products including Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP. These vulnerabilities are an excellent opportunity for bad actors to gain a foothold in the environment. A security update has been issued by the vendor with some of the technical details being withheld. The associated risk of these vulnerabilities’ ranges from 6.1 to 8.8.

Here is a list of the CVE (Common Vulnerabilities and Exposures):

  • CVE-2020-8197
  • CVE-2020-8199
  • CVE-2020-8190
  • CVE-2020-8194
  • CVE-2020-8187
  • CVE-2020-8193
  • CVE-2020-8195
  • CVE-2019-18177
  • CVE-2020-8196
  • CVE-2020-8198
  • CVE-2020-8191

Tactics, Techniques, and Procedures for Exploiting the Citrix Vulnerabilities

The Citrix ADC (NetScaler ADC), Citrix Gateway (NetScaler Gateway), and Citrix SD-WAN WANOP vulnerabilities range from exploitation of the management interface to attacking the VPN software platform. A list of the vulnerabilities and a short description of them can be found below.

CVE IDVulnerability TypeAffected ProductsAttacker PrivilegesPre-Conditions
CVE-2019-18177Information disclosure  Citrix ADC, Citrix Gateway Authenticated VPN userRequires a configured SSL VPN endpoint
CVE-2020-8187Denial of service Citrix ADC, Citrix Gateway 12.0 and 11.1 onlyUnauthenticated remote userRequires a configured SSL VPN or AAA endpoint
CVE-2020-8190Local elevation of privileges Citrix ADC, Citrix Gateway Authenticated user on the NSIPThis issue cannot be exploited directly. An attacker must first obtain nobody privileges using another exploit
CVE-2020-8191Reflected Cross Site Scripting (XSS) Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Unauthenticated remote userRequires a victim who must open an attacker-controlled link in the browser whilst being on a network with connectivity to the NSIP
CVE-2020-8193Authorization bypass Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Unauthenticated user with access to the NSIPAttacker must be able to access the NSIP
CVE-2020-8194Code InjectionCitrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Unauthenticated remote user Requires a victim who must download and execute a malicious binary from the NSIP
CVE-2020-8195Information disclosure Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Authenticated user on the NSIP– 
CVE-2020-8196Information disclosure Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Authenticated user on the NSIP– 
CVE-2020-8197Elevation of privileges Citrix ADC, Citrix Gateway Authenticated user on the NSIP– 
CVE-2020-8198Stored Cross Site Scripting (XSS) Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP Unauthenticated remote user Requires a victim who must be logged in as an administrator (nsroot) on the NSIP
CVE-2020-8199Local elevation of privileges Citrix Gateway Plug-in for Linux Local user on the Linux computer running Citrix Gateway Plug-inA pre-installed version of Citrix Gateway Plug-in for Linux must be running

The NetScaler ADC, NetScaler Gateway and SD-WAN WANOP vulnerabilities could allow a bad actor to pivot via lateral movement a myriad of ways.

CVE-2020-8194 and CVE-2020-8191 could allow a bad actor the opportunity to deliver malicious payloads like CobaltStrike or Meterpreter laden binary. Such binaries would allow for beaconing or a shell for bad actors to engage in reconnaissance operations in the environment.

If exploited successfully, the vulnerabilities can also allow for probing of the Citrix infrastructure in the environment. Security researchers have seen bots scanning the Internet for vulnerable hosts.

What This Means to You

These Citrix vulnerabilities could affect your systems in the following ways:

  • May lead to a successful compromise of the Citrix infrastructure in the network.
  • Could result in the compromise of computers in the network.
  • May allow for reconnaissance and intelligence operations on the network architecture.

What You Should Do About these Citrix Vulnerabilities

We encourage you to implement the patches provided by the vendor immediately. According to Citrix, the following versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP remediate the vulnerabilities: 

  • Citrix ADC and Citrix Gateway 13.0-58.30 and later releases
  • Citrix ADC and NetScaler Gateway 12.1-57.18 and later 12.1 releases
  • Citrix ADC and NetScaler Gateway 12.0-63.21 and later 12.0 releases
  • Citrix ADC and NetScaler Gateway 11.1-64.14 and later 11.1 releases
  • NetScaler ADC and NetScaler Gateway 10.5-70.18 and later 10.5 releases
  • Citrix SD-WAN WANOP 11.1.1a and later releases
  • Citrix SD-WAN WANOP 11.0.3d and later 11.0 releases
  • Citrix SD-WAN WANOP 10.2.7 and later 10.2 releases
  • Citrix Gateway Plug-in for Linux 1.0.0.137 and later versions

Sources and Helpful Resources

Patch Information

MITRE Mapping(s)

Additional Useful Information

https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

msp siem

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates