7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
60.7%
Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM.
The vulnerabilities have the following identifiers:
These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Customers with Citrix ADC 12.1-FIPS:
These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms.
Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported.
The following supported versions of Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway:
Citrix strongly recommends that:
customers with Citrix Gateway and customers using the SSL VPN component of Citrix ADC upgrade to a version that includes and distributes a fixed version of Citrix Gateway Plug-in for Windows.
AND
customers with users who have a vulnerable version of Citrix Gateway Plug-in for Windows ensure they upgrade to a fixed version of Citrix Gateway Plug-in for Windows as soon as possible. This can be achieved when they log in to a supported version of Citrix ADC or Citrix Gateway or by installing a compatible fixed version from Citrix.com.
The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows:
Customers with Citrix ADC or Citrix Gateway:
Customers with Citrix ADC 12.1-FIPS:
The latest versions of Citrix Gateway Plug-in for Windows are available from:
<https://www.citrix.com/downloads/citrix-gateway/plug-ins/>
Please note that versions of Citrix Gateway Plug-in which are compatible with Citrix ADC 12.1-FIPS are delivered directly from Citrix ADC 12.1-FIPS and are not available from Citrix.com.
Fixed versions of Citrix Gateway Plug-in for Windows are included in the following versions of Citrix ADC and Citrix Gateway:
The latest versions of Citrix ADC and Citrix Gateway are available from:
<https://www.citrix.com/downloads/citrix-adc/>
<https://www.citrix.com/downloads/citrix-gateway/>
Citrix would like to thank Chen Erlich of Cymptom (@chen_erlich) for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: <https://www.citrix.com/about/trust-center/vulnerability-process.html>
Date | Change |
---|---|
2020-10-13 | Initial Publication |
CPE | Name | Operator | Version |
---|---|---|---|
citrix adc | ge | 13.0 | |
citrix adc | le | 64.35 | |
citrix adc | ge | 14.0.0 | |
citrix adc | ge | 15.0.0 | |
citrix adc | ge | 16.0.0 | |
citrix adc | ge | 17.0.0 | |
citrix adc | ge | 18.0.0 | |
citrix adc | ge | 19.0.0 | |
citrix adc | ge | 20.0.0 | |
citrix adc | ge | 21.0.0 |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
60.7%