Multinational IT company Citrix Systems, Inc. has decided against providing the complete technical details of the vulnerabilities found in its products. It also wouldn’t disclose the full details of the patches used to fix these vulnerabilities, in an attempt to limit the advancement of these exploits. 11 vulnerabilities were found in Citrix products Application Delivery Controller (ADC) and Gateway that would allow code injection, denial of service and information disclosure. 4 of these Citrix vulnerabilities were prone to exploitation by an unauthenticated attacker.
As a fix, the American software company released patches for the 11 Citrix vulnerabilities in its popular products including Gateway and Citrix ADC. Some of these patches can be used to take a detour from authorization in order to inject code under some circumstances.
More about Citrix vulnerabilities
The Citrix vulnerabilities discovered had the potential of affecting the company’s product range from a low risk of elevating privilege flaw to a serious risk of code injection and across-site scripting weakness.
Fermin Serna, Chief Security Officer of Citrix said the move of not revealing the technical details has been taken to protect intelligence from malicious attacks. Serna said sophisticated malicious actors use the details and patches to reverse engineer the exploits. Avoiding reverse engineering of exploits is the prime reason behind not releasing the technical details of the vulnerabilities and patches.
Out of the 11 vulnerabilities found, 6 are possible attack routes and 5 have barriers to exploitation. The patches added to protect the products completely resolve all the issues.
About the Citrix products under threat
The Citrix products at risk, Gateway and ADC, are software used for secure remote access and application-aware traffic management respectively. As per an assessment by Positive Technologies in December 2019, the products are currently being used in more than 80,000 in 158 companies. The vulnerabilities will also affect Citrix models 5100-WO, 5000-WO, 4100-WO and 4000-WO in addition to the company’s SD-WAN WANOP appliances.
Earlier this year, the server of Citrix Netscaler or Citrix Application Delivery Controller was subjected to extensive exploitation attempts. These attempts used CVE-2019-19781 to gain access to the devices to operate crypto-mining malware. Serna stressed that the bugs found now are not related to the critical CVE-2019-19781 in Citrix ADC and Gateway which was announced in December 2019.
For more updates and latest tech news, keep reading iTMunch