Citrix Vulnerabilities
Date of Notice: 11/10/2021
Action Level - Critical
Description
MCNC would like to make you aware of a Citrix security bulletin that covers two vulnerabilities -- one a critical severity vulnerability. The bulletin can be found here. CVE-2021-22955 could allow unauthenticated denial of service attacks on Citrix ADC, Citrix Gateway. CVE-2021-22956 could cause Temporary disruption of the Management GUI, Nitro API and RPC communication on Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition.
This bulletin only applies to customer-managed Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition appliances. Customers using Citrix-managed cloud services do not need to take any action.
Affected Devices
The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2021-22955 and CVE-2021-22956:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27
- Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22
- Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23
- Citrix ADC 12.1-FIPS before 12.1-55.257
The following supported versions of Citrix SD-WAN WANOP Edition are affected by CVE-2021-22956:
- Citrix SD-WAN WANOP Edition 11.4 before 11.4.2
- Citrix SD-WAN WANOP Edition 10.2 before 10.2.9c
Attack Vector
CVE-2021-22955 - Appliance must be configured as a VPN (Gateway) or AAA virtual server.
CVE-2021-22956 - Requires access to NSIP or SNIP with management interface access.
Attack Feasibility
While no known exploits are currently available, to reduce risk, Citrix strongly encourages you to apply the fixes as soon as possible.
Mitigations
No recommended mitigations are available.
Remediation
Citrix recommends that affected customers Update to the current supported versions of Citrix ADC, Citrix Gateway, or Citrix SD-WAN WANOP as soon as possible.
In addition, upon upgrading to a fixed version, customers must also modify the device configuration to resolve CVE-2021-22956.