Citrix Gateway Plug-in for Windows Security Update

Description of Problem

Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM.

The vulnerabilities have the following identifiers:

• CVE-2020-8257
• CVE-2020-8258

These vulnerabilities affect the following supported versions of Citrix Gateway Plug-in for Windows:

Customers with Citrix ADC or Citrix Gateway:

• Citrix Gateway Plug-in 13.0 for Windows before 64.35
• Citrix Gateway Plug-in 12.1 for Windows before 59.16

Customers with Citrix ADC 12.1-FIPS:

• Citrix Gateway Plug-in 12.1 for Windows before 55.190

These vulnerabilities do not affect Citrix Gateway Plug-in on other platforms.

Citrix Gateway Plug-in for Windows 11.1 is not affected by these vulnerabilities. Other versions are now End-of-Life and no longer supported.

The following supported versions of Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway) include an impacted version of Citrix Gateway Plug-in in order to distribute it to users when they connect to Citrix Gateway:

• Citrix ADC and Citrix Gateway 13.0 before 64.35
• NetScaler ADC and NetScaler Gateway 12.1 before 59.16
• Citrix ADC 12.1-FIPS before 55.190

---

What Customers Should Do

Citrix strongly recommends that:

customers with Citrix Gateway and customers using the SSL VPN component of Citrix ADC upgrade to a version that includes and distributes a fixed version of Citrix Gateway Plug-in for Windows.

AND

customers with users who have a vulnerable version of Citrix Gateway Plug-in for Windows ensure they upgrade to a fixed version of Citrix Gateway Plug-in for Windows as soon as possible. This can be achieved when they log in to a supported version of Citrix ADC or Citrix Gateway or by installing a compatible fixed version from Citrix.com.

The issues have been addressed in the following versions of Citrix Gateway Plug-in for Windows:

Customers with Citrix ADC or Citrix Gateway:

• Citrix Gateway Plug-in 13.0 for Windows 64.35 and later versions
• Citrix Gateway Plug-in 12.1 for Windows 59.16 and later versions

Customers with Citrix ADC 12.1-FIPS:

• Citrix Gateway Plug-in 12.1 for Windows 55.190 and later versions

The latest versions of Citrix Gateway Plug-in for Windows are available from:

<https://www.citrix.com/downloads/citrix-gateway/plug-ins/&gt;

Please note that versions of Citrix Gateway Plug-in which are compatible with Citrix ADC 12.1-FIPS are delivered directly from Citrix ADC 12.1-FIPS and are not available from Citrix.com.

Fixed versions of Citrix Gateway Plug-in for Windows are included in the following versions of Citrix ADC and Citrix Gateway:

• Citrix ADC and Citrix Gateway 13.0-64.35 and later releases
• NetScaler ADC and NetScaler Gateway 12.1-59.16 and later releases
• Citrix ADC 12.1-FIPS 55.190 and later releases

The latest versions of Citrix ADC and Citrix Gateway are available from:

<https://www.citrix.com/downloads/citrix-adc/&gt;

<https://www.citrix.com/downloads/citrix-gateway/&gt;

---

Acknowledgements

Citrix would like to thank Chen Erlich of Cymptom (@chen_erlich) for working with us to protect Citrix customers.

---

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/&gt;_.

---

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

---

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: <https://www.citrix.com/about/trust-center/vulnerability-process.html&gt;

---

Changelog

Date	Change
2020-10-13	Initial Publication

---