Critical Citrix Bug Shuts Down Network, Cloud App Access

A critical security bug in the Citrix Application Shipping Controller (ADC) and Citrix Gateway could enable cyberattackers to crash full company networks with no needing to authenticate.

The two afflicted Citrix items (formerly the NetScaler ADC and Gateway) are made use of for application-informed targeted visitors management and secure distant access, respectively. The federated doing work professional pushed out a security patch on Tuesday for the vulnerability, tracked as CVE-2021-22955, which makes it possible for unauthenticated denial of support (DoS), owing to uncontrolled resource consumption, in accordance to the advisory.

Citrix also tackled a reduce-severity bug that is likewise due to uncontrolled source intake. It impacts both preceding items, as very well as the Citrix SD-WAN WANOP Edition appliance. The latter presents optimization for Citrix SD-WAN deployments, which help protected connectivity and seamless access to virtual, cloud and software program-as-a-assistance (SaaS) apps throughout company and department locations.

Tracked as CVE-2021-22956, the second flaw will allow short-term disruption of: A device’s management GUI the Nitro API for configuring and checking NetScaler appliances programmatically and remote course of action get in touch with (RPC) communication, which is what basically enables distributed computing in Citrix options.

In conditions of the impression of exploitation, all three solutions are widely deployed globally, with Gateway and ADC alone mounted in at least 80,000 providers in 158 nations around the world as of early 2020, in accordance to an evaluation from Optimistic Systems at the time.

Disruption to any of the appliances could prevent distant and branch obtain to corporate resources and standard blocking of cloud and digital assets and applications.

All of this would make them an attractive goal for cybercriminals, and in fact, the Citrix ADC and Gateway in unique are no spring chickens when it arrives to the critical vulnerability scene.

In the summertime of 2020, multiple vulnerabilities were identified that would let code injection, data disclosure and denial of provider, with several exploitable by an unauthenticated, remote attacker. And, in December of 2019, a critical RCE bug was disclosed as a zero-day that took the seller months to patch.

Few Technical Facts, Quite a few Impacted Products and solutions

While Citrix didn’t release complex facts on the latest bugs, VulnDB pointed out on Wednesday that for CVE-2021-22955, “the exploitability is informed to be challenging. The attack can only be initiated inside the local network. The exploitation doesn’t demand any form of authentication.” It assigned a severity rating of 5.1 out of 10 to the bug, despite Citrix’ inside rating of “critical.”

The web-site also documented that exploits are calculated to be value up to $5,000, and pointed out that “manipulation with an unknown input qualified prospects to a denial of support vulnerability…This is likely to have an impact on availability.”

The seller mentioned the vulnerabilities affect the following supported variations:

Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956):

• Citrix ADC and Citrix Gateway 13. ahead of 13.-83.27
• Citrix ADC and Citrix Gateway 12.1 in advance of 12.1-63.22
• Citrix ADC and NetScaler Gateway 11.1 prior to 11.1-65.23
• Citrix ADC 12.1-FIPS in advance of 12.1-55.257

Citrix SD-WAN WANOP Version (CVE-2021-22956):

• Products 4000-WO, 4100-WO, 5000-WO and 5100-WO
• Edition 11.4 just before 11.4.2
• Edition 10.2 in advance of 10.2.9c
• The WANOP element of SD-WAN Top quality Version is not impacted.

In the case of the 1st Citrix ADC and Gateway bug, appliances should be configured as a VPN or AAA virtual server in get to be susceptible.

In the 2nd bug’s circumstance, appliances ought to have obtain to NSIP or SNIP with administration interface entry.

Customers applying Citrix-managed cloud companies are unaffected.

Want to gain again management of the flimsy passwords standing in between your network and the future cyberattack? Join Darren James, head of inside IT at Specops, and Roger Grimes, information-pushed protection evangelist at KnowBe4, to find out how all through a free, Stay Threatpost function, “Password Reset: Professing Control of Qualifications to Cease Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.

Register NOW for the Are living event and submit thoughts ahead of time to Threatpost’s Becky Bracken at [email protected].

.