ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Citrix vulnerabilities

By 8 June 2021 September 9th, 2021 CERT, SOC, Vulnerability

This blog contains information about recently published vulnerabilities in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliances. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.

Update June 8, 2021

16:00 | Today, Citrix published information regarding two vulnerabilities in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliances. The vulnerabilities that were recenly published are CVE-2020-8299 (medium severity) and CVE-2020-8300 (high severity).

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential risk

Two vulnerabilities were recently published: CVE-2020-8299 (medium severity) and CVE-2020-8300 (high severity). The table below describes information published by Citrix:

CVE-ID Description CWE Affected Products Pre-conditions
CVE-2020-8299 Network-based denial-of-service from within the same Layer 2 network segment CWE-400: Uncontrolled Resource Consumption Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP The attacker machine must be in the same Layer 2 network segment as the vulnerable appliance
CVE-2020-8300 SAML authentication hijack through a phishing attack to steal a valid user session CWE-284: Improper access control Citrix ADC, Citrix Gateway Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP

Detail info

The following CVE references belong to this vulnerability.

The following supported versions of Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP are affected by CVE-2020-8299:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-76.29
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-61.18
  • Citrix ADC and NetScaler Gateway 11.1 before 65.20
  • Citrix ADC 12.1-FIPS before 12.1-55.238
  • Citrix SD-WAN WANOP 11.4 before 11.4.0
  • Citrix SD-WAN WANOP 11.3 before 11.3.2
  • Citrix SD-WAN WANOP 11.3 before 11.3.1a
  • Citrix SD-WAN WANOP 11.2 before 11.2.3a
  • Citrix SD-WAN WANOP 11.1 before 11.1.2c
  • Citrix SD-WAN WANOP 10.2 before 10.2.9a

The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2020-8300:

  • Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
  • Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
  • Citrix ADC 12.1-FIPS before 12.1-55.238
Citrix indicates that manual changes are needed after upgrading to the latest version for CVE-2020-8300 

These issues have already been addressed in Citrix-managed cloud services such as Citrix Gateway Service and Citrix Secure Workspace Access. Customers using Citrix-managed services do not need to take any additional action.

Background

Learn more about these vulnerabilities on the Citrix support page

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.