5.8 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
34.2%
A vulnerability has been identified affecting Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, platforms which could result in privilege escalation via layer 2 network access on all network interfaces.
This vulnerability has been assigned the following CVE:
โข CVE-2019-0140: Buffer overflow in firmware for Intelยฎ Ethernet 700 Series Controllers
The following MPX/SDX series are affected:
โข 8900
โข 14000/14000-40G/14000-40S/14000-40C
โข 15000/15000-50G
โข 25000-40G
โข 26000/26000-50S
Only 10G/25G/40G ports are affected by this vulnerability.
An attacker must have Layer 2 access to leverage this vulnerability, therefore limiting the exposure to peer switch access. This issue is mitigated if Link Layer Discovery Protocol (LLDP) is disabled at the peer switch connecting the MPX/SDX.
Customers with affected versions of Citrix ADC MPX are recommended to upgrade the appliance firmware to one of the following versions:
Customers must then upgrade the network interface card firmware by following the guidance in the following article: <https://docs.citrix.com/en-us/citrix-hardware-platforms/mpx/fortville-nic-firmware-upgrade.html>.
Please note that after the network interface card firmware version is upgraded on the MPX, customers can no longer downgrade the appliance firmware to anything before the aforementioned versions.
Customers with affected versions of Citrix ADC SDX are recommended to upgrade the appliance firmware to a version which includes a firmware update for the vulnerable network interface card:
Please note, that customers must first upgrade any VPX instances running on the appliance and then upgrade the SVM. More details are available in the following article: <https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/fortville-nic-firmware-upgrade-on-sdx.html>.
Alternatively, customers who are unable to upgrade are strongly recommended to Disable Link Layer Discovery Protocol (LLDP) at the peer switch connecting the MPX or SDX.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 โ Reporting Security Issues to Citrix
Date | Change |
---|---|
2019-11-12 | Initial Publication |
2020-10-21 | Updated guidance |
2022-01-18 | Fixed typos in affected MPX/SDX series section |
5.8 Medium
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
34.2%