A critical security bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow cyberattackers to crash entire corporate networks without needing to authenticate.
The two affected Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively. The federated working specialist pushed out a security patch on Tuesday for the vulnerability, tracked as CVE-2021-22955, which allows unauthenticated denial of service (DoS), due to uncontrolled resource consumption, according to the advisory.
Citrix also addressed a lower-severity bug that is likewise due to uncontrolled resource consumption. It impacts both previous products, as well as the Citrix SD-WAN WANOP Edition appliance. The latter provides optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.
Tracked as CVE-2021-22956, the second flaw allows temporary disruption of: a device’s management GUI; the Nitro API for configuring and monitoring NetScaler appliances programmatically; and remote procedure call (RPC) communication, which is what essentially enables distributed computing in Citrix settings.
In terms of the impact of exploitation, all three products are widely deployed globally, with Gateway and ADC alone installed in at least 80,000 companies in 158 countries as of early 2020, according to an assessment from Positive Technologies at the time.
Disruption to any of the appliances could prevent remote and branch access to corporate resources and general blocking of cloud and virtual assets and apps.
All of this makes them an attractive target for cybercriminals, and indeed, the Citrix ADC and Gateway in particular are no spring chickens when it comes to the critical vulnerability scene.
In the summer of 2020, multiple vulnerabilities were discovered that would allow code injection, information disclosure and denial of service, with many exploitable by an unauthenticated, remote attacker. And, in December of 2019, a critical RCE bug was disclosed as a zero-day that took the vendor weeks to patch.
Few Technical Details, Many Affected Products
While Citrix didn’t release technical details on the latest bugs, VulnDB noted on Wednesday that for CVE-2021-22955, “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” It assigned a severity score of 5.1 out of 10 to the bug, despite Citrix’ internal rating of “critical.”
The site also reported that exploits are calculated to be worth up to $5,000, and noted that “manipulation with an unknown input leads to a denial of service vulnerability…This is going to have an impact on availability.”
The vendor said the vulnerabilities affect the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956):
- Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27
- Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22
- Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23
- Citrix ADC 12.1-FIPS before 12.1-55.257
Citrix SD-WAN WANOP Edition (CVE-2021-22956):
- Models 4000-WO, 4100-WO, 5000-WO and 5100-WO
- Version 11.4 before 11.4.2
- Version 10.2 before 10.2.9c
- The WANOP feature of SD-WAN Premium Edition is not impacted.
In the case of the first Citrix ADC and Gateway bug, appliances must be configured as a VPN or AAA virtual server in order to be vulnerable.
In the case of the second bug, appliances must have access to NSIP or SNIP with management interface access.
Customers using Citrix-managed cloud services are unaffected.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit your questions ahead of time via the registration page.