Very High
CTX276688: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(3 users assessed)Unknown
(3 users assessed)Unknown
Unknown
Unknown
CTX276688: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues .
Add Assessment
Ratings
Technical Analysis
Active exploitation targeting recently published Citrix ADC vulns as of July 9, according to SANS ISC: https://isc.sans.edu/forums/diary/Active+Exploit+Attempts+Targeting+Recent+Citrix+ADC+Vulnerabilities+CTX276688/26330/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
Technical Analysis
Taking a quick look at [NCC group research](https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/] on this, it looks like combining the CVE-2020-8193 authentication bypass with one of the other vulnerabilities allows one to steal VPN session data from a device.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportWould it be appropriate to include this analysis in CVE-2020-8195 and CVE-2020-8196 specifically?
Fetching those CVE via the API does not return this information and the associated attacker value, so any automation of this valuable assessment is being missed by API queries. I could add a link to this comment but again wanted to verify.
These are the urls:
https://attackerkb.com/topics/rSz4fDlp1Z/cve-2020-8195?referrer=search
https://attackerkb.com/topics/r0FRieLWQM/cve-2020-8196?referrer=search
@elligottmc Sounds fair enough (not sure if Brent is active on here these days!), yep. This topic was our catch-all when Citrix hadn’t specified the included CVEs yet.
@ccondon-r7 thank you! Updated relevant topics.
@elligottmc That’s awesome, thanks so much!
Technical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Related AttackerKB Topic
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: