On Sep 17, Citrix released CTX281474 article with three vulnerabilities which are fixed by new firmware releases on all supported version tracks.

The following vulnerabilities are addressed here:

  • CVE-2020-8245: An html injection attack against SSL VPN portal,
  • CVE-2020-8246: A Denial-of-Service attack originating from the management network
  • CVE-2020-8247: A escalation of privileges on the management interface.

8246 & 8287 are attacks on the management interfaces which should NOT be directly reachable from unauthorized users or the public Internet. In general the network traffic should be separated from the management interface either physically or logically, from normal network traffic. Doing so greatly diminishes risk of exploitation

The issues are fixed by these firmware versions:

  • Citrix ADC and Citrix Gateway 13.0-64.35 and later
  • Citrix ADC and NetScaler Gateway 12.1-58.15 and later
  • Citrix ADC 12.1-FIPS 12.1-55.187 and later
  • Citrix ADC and NetScaler Gateway 11.1-65.12 and later.

NOTE: Citrix ADC and Citrix Gateway 12.0, has reached End of Maintenance, is impacted by these vulnerabilities. Citrix recommends that customers using this version upgrade to a later version that addresses these issues

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.