Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.
A critical security bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow cyberattackers to crash entire corporate networks without needing to authenticate.
The two affected Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively. The federated working specialist pushed out a security patch on Tuesday for the vulnerability, tracked as CVE-2021-22955, which allows unauthenticated denial of service (DoS), due to uncontrolled resource consumption, according to the advisory.
Citrix also addressed a lower-severity bug that is likewise due to uncontrolled resource consumption. It impacts both previous products, as well as the Citrix SD-WAN WANOP Edition appliance. The latter provides optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.
Register now for our LIVE event!
Tracked as CVE-2021-22956, the second flaw allows temporary disruption of: a device’s management GUI; the Nitro API for configuring and monitoring NetScaler appliances programmatically; and remote procedure call (RPC) communication, which is what essentially enables distributed computing in Citrix settings.
In terms of the impact of exploitation, all three products are widely deployed globally, with Gateway and ADC alone installed in at least 80,000 companies in 158 countries as of early 2020, according to an assessment from Positive Technologies at the time.
Disruption to any of the appliances could prevent remote and branch access to corporate resources and general blocking of cloud and virtual assets and apps.
All of this makes them an attractive target for cybercriminals, and indeed, the Citrix ADC and Gateway in particular are no spring chickens when it comes to the critical vulnerability scene.
In the summer of 2020, multiple vulnerabilities were discovered that would allow code injection, information disclosure and denial of service, with many exploitable by an unauthenticated, remote attacker. And, in December of 2019, a critical RCE bug was disclosed as a zero-day that took the vendor weeks to patch.
While Citrix didn’t release technical details on the latest bugs, VulnDB noted on Wednesday that for CVE-2021-22955, “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” It assigned a severity score of 5.1 out of 10 to the bug, despite Citrix’ internal rating of “critical.”
The site also reported that exploits are calculated to be worth up to $5,000, and noted that “manipulation with an unknown input leads to a denial of service vulnerability…This is going to have an impact on availability.”
The vendor said the vulnerabilities affect the following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956):
Citrix SD-WAN WANOP Edition (CVE-2021-22956):
In the case of the first Citrix ADC and Gateway bug, appliances must be configured as a VPN or AAA virtual server in order to be vulnerable.
In the case of the second bug, appliances must have access to NSIP or SNIP with management interface access.
Customers using Citrix-managed cloud services are unaffected.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit your questions ahead of time via the registration page.
.
Share this article:
Immutable storage and more: Sonya Duffin, data protection expert at Veritas Technologies, offers the Top 10 steps for building a multi-layer resilience profile.
Researchers warn that CVE-2021-34484 can be exploited with a patch bypass for a bug originally addressed in August by Microsoft.
Google researchers have detailed a widespread watering-hole attack that installed a backdoor on Apple devices that visited Hong Kong-based media and pro-democracy sites.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
#Ransomware volumes are up 1000%. Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs , dis… https://t.co/HmAkFn3XNY
1 day ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source