Nov 11, 2021
116 Views
0 0

Critical Citrix Bug Shuts Down Network, Cloud App Access

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.
A critical security bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow cyberattackers to crash entire corporate networks without needing to authenticate.
The two affected Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively. The federated working specialist pushed out a security patch on Tuesday for the vulnerability, tracked as CVE-2021-22955, which allows unauthenticated denial of service (DoS), due to uncontrolled resource consumption, according to the advisory.
Citrix also addressed a lower-severity bug that is likewise due to uncontrolled resource consumption. It impacts both previous products, as well as the Citrix SD-WAN WANOP Edition appliance. The latter provides optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.
Register now for our LIVE event!
Tracked as CVE-2021-22956, the second flaw allows temporary disruption of: a device’s management GUI; the Nitro API for configuring and monitoring NetScaler appliances programmatically; and remote procedure call (RPC) communication, which is what essentially enables distributed computing in Citrix settings.
In terms of the impact of exploitation, all three products are widely deployed globally, with Gateway and ADC alone installed in at least 80,000 companies in 158 countries as of early 2020, according to an assessment from Positive Technologies at the time.
Disruption to any of the appliances could prevent remote and branch access to corporate resources and general blocking of cloud and virtual assets and apps.
All of this makes them an attractive target for cybercriminals, and indeed, the Citrix ADC and Gateway in particular are no spring chickens when it comes to the critical vulnerability scene.
In the summer of 2020, multiple vulnerabilities were discovered that would allow code injection, information disclosure and denial of service, with many exploitable by an unauthenticated, remote attacker. And, in December of 2019, a critical RCE bug was disclosed as a zero-day that took the vendor weeks to patch.
While Citrix didn’t release technical details on the latest bugs, VulnDB noted on Wednesday that for CVE-2021-22955, “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” It assigned a severity score of 5.1 out of 10 to the bug, despite Citrix’ internal rating of “critical.”
The site also reported that exploits are calculated to be worth up to $5,000, and noted that “manipulation with an unknown input leads to a denial of service vulnerability…This is going to have an impact on availability.”
The vendor said the vulnerabilities affect the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956):
Citrix SD-WAN WANOP Edition (CVE-2021-22956):
In the case of the first Citrix ADC and Gateway bug, appliances must be configured as a VPN or AAA virtual server in order to be vulnerable.
In the case of the second bug, appliances must have access to NSIP or SNIP with management interface access.
Customers using Citrix-managed cloud services are unaffected.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and your submit questions ahead of time via the registration page.
.
Share this article:
Researchers have a working exploit for the vulnerability (now patched), which allows for unauthenticated RCE and affects an estimated 70,000+ VPN/firewalls.
Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.
A U.K. fishing retailer’s site has been hijacked and redirected to Pornhub.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Angling Direct, the biggest fishing retailer in the U.K., gets its site hijacked and redirected to #Pornhub, and we… https://t.co/EwWFEEy8P4
6 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.