Description of Problem

在Citrix ADC(以前称为NetScaler ADC),Citrix网关(以前称为NetScaler Gateway)和Citrix SD-WAN WANOP设备模型4000-WO,4100-WO,5000-WO和5100-WO中发现了多个漏洞。 如果利用这些漏洞,可能会导致以下安全问题:

CVE IDDescriptionVulnerability TypeAffected ProductsPre-conditions
CVE-2020-8245针对SSL VPN网站门户的HTML注入攻击CWE-79: Improper Neutralization of Input During Web Page GenerationCitrix ADC, Citrix GatewayRequires an authenticated victim on the SSL VPN web portal who must open an attacker-controlled link in the browser
CVE-2020-8246来自管理网络的拒绝服务攻击CWE-400: Uncontrolled Resource Consumption Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OPUnauthenticated attacker with access to the management network
CVE-2020-8247提升管理界面上的权限CWE-269: Improper Privilege ManagementCitrix ADC, Citrix Gateway, Citrix SDWAN WAN-OPAn attacker must possess privilege to execute arbitrary commands on the management interface

在以下受支持的版本中解决了该漏洞:

  • Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
  • Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
  • Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
  • Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
  • Citrix SD-WAN WANOP 11.2.1a and later releases
  • Citrix SD-WAN WANOP 11.1.2a and later releases
  • Citrix SD-WAN WANOP 11.0.3f and later releases
  • Citrix SD-WAN WANOP 10.2.7b and later releases

客户应该注意到,Citrix ADC和Citrix Gateway 12.0(已结束维护)受到这些漏洞的影响。Citrix建议使用此版本的客户升级到解决这些问题的更高版本。

此外,以上版本的Citrix ADC,Citrix网关和Citrix SD-WAN WANOP中已添加了安全增强功能,以帮助保护客户免受HTTP Request Smuggling攻击。 客户可以使用Citrix ADC管理界面启用这些增强功能。 有关更多信息,请参阅https://support.citrix.com/article/CTX282268。

提取码: x17i

发表评论

电子邮件地址不会被公开。 必填项已用*标注