written by Rick Passero, CISSP

On July 7, 2020, Citrix published a security bulletin (CTX276688) disclosing 11 security vulnerabilities in their networking products, including Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and certain models of Citrix SD-WAN WANOP appliances. These vulnerabilities do not affect cloud deployments. Citrix is not aware of any active exploitations against these issues, and has released patches that fully resolve them.

According to the official bulletin, “Citrix strongly recommends that customers immediately install” the updates which bring these products to versions that have been patched for the disclosed vulnerabilities. While this is solid advice for a vendor to give and the importance of patch management cannot be understated – in an ideal world, every organization would deploy every new security patch released for every system they operate immediately after patches are released – most organizations do not operate in ideal conditions and have to contend with limited resources and patches that occasionally do more harm than good, which makes it necessary to make hard decisions about which systems get patched. IPM’s security team works with clients to develop best practice security programs that incorporate a risk-based approach to patch and vulnerability management and provide clarity to this decision-making process, and we would like to share some general advice in light of this announcement.

Our recommended approach takes a number of factors into account, including:

• Your organization’s risk profile, threat landscape, and compliance requirements
• The potential impact to the organization if the vulnerability were to be successfully exploited
• The potential impact to the organization if the patch is applied
• The likelihood that a particular vulnerability will be exploited in the organization’s environment, which includes consideration of any mitigating controls or prerequisites that need to be satisfied for the vulnerability to actually present

In this case, the potential impact to the organization for an exploited vulnerability is related to the product use cases: who is using the ADC and for what purposes? A healthcare provider with thousands of physicians who use VDI desktops behind Citrix ADCs as their primary workspace to access patient records throughout the day has a potentially very different risk exposure than a retail organization that uses Citrix as an ad-hoc mechanism for employees to access HR policies and procedures on their intranet a few times a year.

Unfortunately, vendor-provided patches do not always provide a perfectly seamless implementation experience, and the operational disruptions that can result from installing patches without thoroughly testing them first can potentially be more damaging than the corresponding security impact of not patching at all. Testing patches in a non-production environment is the best way to gauge the impact of actually applying the patch, particularly if there are complexities in the organization’s implementation of a product that may not be present in a vendor’s testing environments (for example, custom code or integrations with third party platforms).

In addition to the security bulletin, Citrix has published a blog providing additional context on the vulnerabilities, which primarily addresses their exploitability, and provides a good example of an analysis of exploitability and mitigating factors.

“Of the 11 vulnerabilities,” they say, “there are six possible attack routes; five of those have barriers to exploitation.” Three of the six attack vectors occur against the management interface of a vulnerable device, meaning organizations that have followed security and Citrix best practices to have that interface segregated from the rest of the network by a firewall have greatly reduced risk in comparison to an organization that allows access to the management interface from end user networks.

Two of the remaining attack routes require a user to already have an existing account on the system. In one case, an attacker must be an authenticated local user on a Linux computer running the Citrix Gateway Plug-in, which can be exploited in a local elevation of privileges attack to gain administrator access to that specific endpoint. The other attack requires an authenticated VPN user accessing an SSL VPN to exploit a vulnerability that could allow them to perform remote port scanning of the internal network and determine if TLS connections are possible with a particular port.

The only vulnerability that could be directly exploited by an unauthenticated remote attacker is a potential Denial of Service (DoS) against a Gateway or Authentication (AAA) virtual server. Other types of virtual servers, such as load balancers, are not affected.

IPM has unparalleled breadth and depth of business, risk, compliance, and technological expertise when it comes to designing, implementing, maturing, and managing information security programs and controls. IPM can assist with the strategic elements of creating a security program that defines policies, practices, and procedures for components such as patch and vulnerability management, or with tactical elements including planning, testing, and implementing the recommended security patches.

For a free consultation on how we can help your organization mature its security posture, please contact us.