Citrix addresses a critical flaw in ADC, Gateway

Pierluigi Paganini November 10, 2021

Citrix addressed two vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, one of them is a critical issue leading to DoS.

Citrix has released security updates to address two vulnerabilities in ADC, Gateway, and SD-WAN, including a critical flaw, tracked as CVE-2021-22955, that can be exploited to trigger a denial of service (DoS) condition.

The CVE-2021-22955 DoS vulnerability affects Citrix Application Delivery Controller (ADC) and Gateway devices that have been configured as a VPN (Gateway) or AAA virtual server.

The second vulnerability, tracked as CVE-2021-22956, affects ADC and Gateway. The issue also affects SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

The exploitation of the flaw can lead to the temporary disruption of the Management GUI, Nitro API and RPC communication. This vulnerability has been rated with low severity.

Citrix recommends customers to install the update as soon as possible. Below is the list of supported versions of ADC and Citrix Gateway address both CVE-2021-22955 and CVE-2021-22956:

  • Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1 
  • Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0 
  • Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1 
  • Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1 
  • Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS 

The following supported versions of Citrix SD-WAN WANOP Edition address CVE-2021-22956: 

  • Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4 
  • Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory related to the above vulnerabilities.

“Citrix has released security updates to address vulnerabilities affecting multiple versions of Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP. An attacker could exploit these vulnerabilities to cause a denial-of-service condition.” reads the announcement published by CISA.

“CISA encourages users and administrators to review Citrix Security Bulletin CTX330728 and apply the necessary updates as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment