Very High
CVE-2020-8196
Add Reference
Description
URL
Type
CVE-2020-8196
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
Add Assessment
Ratings
-
Attacker ValueVery High
Technical Analysis
This is an update based on the assessment provided in the more general topic for the Citrix vulns disclosed in https://support.citrix.com/article/CTX276688 which include this CVE. As API queries to this CVE do not contain this data, reflecting it in this topic.
Link to assessment:
https://attackerkb.com/assessments/50e7e3c5-644c-46ae-b650-1ef45cec22ad
Link to relevant url provided in the assessment:
https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
Additional link which provides a PoC:
https://github.com/Zeop-CyberSec/citrix_adc_netscaler_lfi
It is also included in the Oct 20 NSA Advisory on vulns exploited by Chinese APTs:
https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Technical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVSS V3 Severity and Metrics
General Information
Products
- Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).