11.10.2021

Citrix Vulnerabilities

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 11/10/2021

Action Level - Critical

Description

MCNC would like to make you aware of a Citrix security bulletin that covers two vulnerabilities -- one a critical severity vulnerability. The bulletin can be found here. CVE-2021-22955 could allow unauthenticated denial of service attacks on Citrix ADC, Citrix Gateway. CVE-2021-22956 could cause Temporary disruption of the Management GUI, Nitro API and RPC communication on Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition. 

This bulletin only applies to customer-managed Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition appliances. Customers using Citrix-managed cloud services do not need to take any action.

Affected Devices

The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2021-22955 and CVE-2021-22956: 

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 
  • Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 
  • Citrix ADC 12.1-FIPS before 12.1-55.257 

The following supported versions of Citrix SD-WAN WANOP Edition are affected by CVE-2021-22956: 

  • Citrix SD-WAN WANOP Edition 11.4 before 11.4.2 
  • Citrix SD-WAN WANOP Edition 10.2 before 10.2.9c 

Attack Vector

CVE-2021-22955 - Appliance must be configured as a VPN (Gateway) or AAA virtual server.

CVE-2021-22956 - Requires access to NSIP or SNIP with management interface access.

Attack Feasibility

While no known exploits are currently available, to reduce risk, Citrix strongly encourages you to apply the fixes as soon as possible.

Mitigations

No recommended mitigations are available.

Remediation

Citrix recommends that affected customers Update to the current supported versions of Citrix ADC, Citrix Gateway, or Citrix SD-WAN WANOP as soon as possible.

In addition, upon upgrading to a fixed version, customers must also modify the device configuration to resolve CVE-2021-22956.

<-- Return to Cybersecurity Alerts...

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • twitter
  • facebook
  • youtube
© 2024 MCNC