Citrix ADC (vormals Netscaler): Sicherheitslücke erlaubt denial-of-service, Patch verfügbar
VERÖFFENTLICHT AM VON ILEA.CON E.KFM.
Affected Products
Citrix Application Delivery Controller (ADC, previously known as Netscaler) & Gateway
– Version 13, patch lower than 13.0-83.27
– Version 12 , patch lower than 12.1-63.22
– Version 11 , patch lower than 11.1-65.23
– Citrix ADC 12.1-FIPS , patch lower than 12.1-55.257
SD-WAN WANOP
Known Attack Vectors
| Risk level 1 – can be exploited from outside of the corporate network | X |
| Risk level 2 – can be exploited from within the corporate network | x |
| Risk level 3 – can be exploited on the local machine | x |
Description of the Attack
Denial-of-Service: an unauthenticated attack allows to overload the system ressources and produce an outage
Uncontrolled Ressource Consumption: Attackers can disrupt the Management GUI, Nitro API and RPC Communication
Recommendation / Resolution
We recommend installing the latest security patches and to review the configuration of the appliance, since the update alone may not close the second vulnerability (disruption of management GUI).
Additional Information
https://support.citrix.com/article/CTX330728 (Citrix Article on this vulnerability)
https://support.citrix.com/article/CTX331588 (Citrix Configuration Guide for Delivery Controller, Gateway and SD-WAN WANOP)