NetScaler ADC / Gateway Security Updates

There are some security patches needed to fix new vulnerabilities found with NetScaler ADC and NetScaler Gateway, see CTX232161 article. Please find below the the corresponding CVEs covered by the patches:

  • CVE-2018-6186: Citrix NetScaler VPX through NS12.0 allows an SSRF attack via the /rapi/read_url URI by an authenticated attacker who has a webapp account. The attacker can gain access to the nsroot account, and execute remote commands with root privileges,
  • CVE-2018-6808: Citrix NetScaler ADC / Gateway Arbitrary File Download Vulnerability,
  • CVE-2018-6809: Citrix NetScaler ADC / Gateway Privilege Escalation Vulnerability,
  • CVE-2018-6810: Citrix NetScaler ADC / Gateway Directory Traversal Vulnerability, and
  • CVE-2018-6811: Multiple Cross-Site Scripting vulnerabilities in Citrix NetScaler ADC / Gateway,

The issues above have been addressed in the following NSOS firmware builds:

  • Version 12.0 Build 57.19,
  • Version 11.1 Build 56.15,
  • Version 11.0 Build 71.18, and
  • Version 10.5 Build 67.10.

BTW: If you are using the latest NSOS 12.0 build (12.0-57.19) which fixes the vulnerabilities above, be informed that we have seen some Admin-GUI issues with that release. Some CUGC members are reporting this, too. In case you are facing one or more of unexpected GUI behaviours, switch to NetScaler command line, this will work as usual.

Leave a Reply