Security News > 2020 > July > Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees
Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products.
Affected gear includes the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP. So far there have been no reports of any of the bugs being targeted in the wild, though Rob Joyce, former head of the NSA's Tailored Access Operations elite hacking team, urged admins to apply the patches - right after fixes emerged for vulns in F5 and Palo Alto networking gear, too.
Those who rely on Linux PCs will want to check out CVE-2020-8199, a flaw in the Citrix Gateway Plugin for Linux that can be exploited by a rogue user or malware already on the system to elevate its privileges and cause more damage.
That is a denial-of-service flaw in Citrix ADC and Citrix Gateway 12.0 or 11.1.
Looking to avoid a repeat of the Christmas security crisis, when a remote code execution bug was disclosed in ADC and Gateway, Citrix made a point of trying to calm the nerves of admins by bringing out CISO Fermin Serna to explain that none of the bugs are as serious, or as easily exploited, as the infamous CVE-2019-19781 "Shitrix" vulnerability in December.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/08/citrix_eleven_patches/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-07-10 | CVE-2020-8199 | Improper Privilege Management vulnerability in Citrix Gateway Plug-In for Linux Improper access control in Citrix ADC Gateway Linux client versions before 1.0.0.137 results in local privilege escalation to root. | 4.6 |
| 2019-12-27 | CVE-2019-19781 | Path Traversal vulnerability in Citrix products An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. | 9.8 |