Citrix addresses a critical flaw in ADC, Gateway

Citrix addressed two vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, one of them is a critical issue leading to DoS.

Citrix has released security updates to address two vulnerabilities in ADC, Gateway, and SD-WAN, including a critical flaw, tracked as CVE-2021-22955, that can be exploited to trigger a denial of service (DoS) condition.

The CVE-2021-22955 DoS vulnerability affects Citrix Application Delivery Controller (ADC) and Gateway devices that have been configured as a VPN (Gateway) or AAA virtual server.

The second vulnerability, tracked as CVE-2021-22956, affects ADC and Gateway. The issue also affects SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

The exploitation of the flaw can lead to the temporary disruption of the Management GUI, Nitro API and RPC communication. This vulnerability has been rated with low severity.

Citrix recommends customers to install the update as soon as possible. Below is the list of supported versions of ADC and Citrix Gateway address both CVE-2021-22955 and CVE-2021-22956:

Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1
Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS

The following supported versions of Citrix SD-WAN WANOP Edition address CVE-2021-22956:

Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4
Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory related to the above vulnerabilities.

“Citrix has released security updates to address vulnerabilities affecting multiple versions of Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP. An attacker could exploit these vulnerabilities to cause a denial-of-service condition.” reads the announcement published by CISA.

“CISA encourages users and administrators to review Citrix Security Bulletin CTX330728 and apply the necessary updates as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.