On Sep 17, Citrix released CTX281474 article with three vulnerabilities which are fixed by new firmware releases on all supported version tracks.
The following vulnerabilities are addressed here:
- CVE-2020-8245: An html injection attack against SSL VPN portal,
- CVE-2020-8246: A Denial-of-Service attack originating from the management network
- CVE-2020-8247: A escalation of privileges on the management interface.
8246 & 8287 are attacks on the management interfaces which should NOT be directly reachable from unauthorized users or the public Internet. In general the network traffic should be separated from the management interface either physically or logically, from normal network traffic. Doing so greatly diminishes risk of exploitation
The issues are fixed by these firmware versions:
- Citrix ADC and Citrix Gateway 13.0-64.35 and later
- Citrix ADC and NetScaler Gateway 12.1-58.15 and later
- Citrix ADC 12.1-FIPS 12.1-55.187 and later
- Citrix ADC and NetScaler Gateway 11.1-65.12 and later.
NOTE: Citrix ADC and Citrix Gateway 12.0, has reached End of Maintenance, is impacted by these vulnerabilities. Citrix recommends that customers using this version upgrade to a later version that addresses these issues
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).