Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:

The vulnerabilities are addressed in the following supported versions:

• Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
• Citrix ADC and NetScaler Gateway 12.1-58.15 and later releases
• Citrix ADC 12.1-FIPS 12.1-55.187 and later releases
• Citrix ADC and NetScaler Gateway 11.1-65.12 and later releases
• Citrix SD-WAN WANOP 11.2.1a and later releases
• Citrix SD-WAN WANOP 11.1.2a and later releases
• Citrix SD-WAN WANOP 11.0.3f and later releases
• Citrix SD-WAN WANOP 10.2.7b and later releases

Customers should note that Citrix ADC and Citrix Gateway 12.0, which has reached End of Maintenance, is impacted by these vulnerabilities. Citrix recommends that customers using this version upgrade to a later version that addresses these issues.

Additionally, security enhancements to help protect customers against HTTP Request Smuggling attacks have been added to the above versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Customers may enable these enhancements using the Citrix ADC management interface. Please see https://support.citrix.com/article/CTX282268 for more information.

Two of the three vulnerabilities originate in the management interface of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Doing so greatly diminishes risk of exploitation. Please see https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html for more information.

Fixed builds have been released for supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Citrix recommends that affected customers install these updates as soon as their patching schedule permits.

The latest builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/, https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/

Citrix would like to thank Knud of F-Secure, Arsenii Pustovit of Adversary Emulation team (Royal Bank of Canada), Moritz Bechler of SySS GmbH, Johan Georges from Wisearc Advisors in Sweden, Vasilis Maritsas of EY Consulting, Juan David Ordoñez Noriega, member of RedTeam CSIETE and Ricardo Iramar Dos Santos for working with us to protect Citrix customers.

To receive future security bulletins, customers can update their support notifications at https://support.citrix.com/user/alerts or subscribe to the RSS feed at https://support.citrix.com/feeds.

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – https://www.citrix.com/about/trust-center/vulnerability-process.html