Authentication Bypass Vulnerability in Citrix NetScaler

Please contact our Operations Center if we can assist you with addressing this critical Citrix Netscaler security issue requiring updates.

Sincerely,

Centrinet Support Team

support@centrinetcorp.com

678.373.0450

Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

DESCRIPTION OF PROBLEM

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

This vulnerability affects the following product versions:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.13 (except for build 41.24)
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 55.13
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 70.16
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 66.9
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e earlier than build 60.7010.e
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 earlier than build 135.18

MITIGATING FACTORS

In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.


WHAT CUSTOMERS SHOULD DO

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 41.24 and build 53.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 55.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 70.16 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 66.9 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e build 60.7010.e and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 build 135.18 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted network traffic only.

https://support.citrix.com/article/CTX227928