7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.1%
A vulnerability has been identified in Citrix Application Delivery Management Agent that could allow an unauthenticated attacker with network access to the management agent interface to obtain sensitive information. Disclosed information could be used for privilege escalation beyond the agent system.
The following deployment scenarios are affected:
1. Citrix Application Delivery Management server on-premises with ADM Agents
2. Citrix Application Delivery Management on Cloud with ADM Agents deployed on-premises or customer-managed cloud datacenters.
This vulnerability has been assigned the following CVE number:
ā¢ CVE-2019-9548: Information Disclosure Vulnerability in Citrix Application Delivery Management Agent.
This vulnerability affects the following product versions:
ā¢ Citrix Application Delivery Management Agent version 12.1 earlier than build 50.33
ā¢ Citrix Application Delivery Management Agent Cloud version 13.0 earlier than build 33.23
In order to exploit this vulnerability, an attacker would require network access to the management agent interface. In situations where the agent management interface has been limited to only trusted network traffic the exposure of the issue is limited.
Agents deployed as a part of valid (non-expired) Citrix Cloud subscription of Citrix ADM updated to latest agent version 13.0.-33.23 or newer are unaffected.
This vulnerability has been addressed in the following version of Citrix Application Delivery Management Agent:
ā¢ Citrix Application Delivery Management Agent version 12.1 build 50.33 and later
ā¢ Citrix Application Delivery Management Agent Cloud version 13.0 build 33.23 and later
Citrix strongly recommends that customers affected by this vulnerability upgrade to a version of the Citrix Application Delivery Management Agent that contains a fix for this issue as soon as possible.
The latest on-premises version is available on the Citrix website at the following address:
<https://www.citrix.com/downloads/citrix-application-management/>
The latest Cloud version is available in the Citrix Cloud Application Delivery Management portal under Networks > Agents
In line with industry best practice, Citrix also recommends that customers limit access to the management agent interface to trusted network traffic only.
For deployments that are unable to apply the mitigating updates the following document describes agent configuration changes that are available to mitigate the issue until a time that the appropriate updates can be applied:
CTX247823 ā Blocking network access to Citrix Application Delivery Management Agent
Note: Blocking these ports will prevent CPX Auto-registration.
Citrix thanks Mark Du Plessis for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 ā Reporting Security Issues to Citrix
Date | Change |
---|---|
11th March 2019 | Initial Publication |
15th March 2019 | Acknowledgements Added |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.1%