Cyberattackers could use a significant security flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway to disrupt entire corporate networks without requiring them to authenticate. 

The two Citrix solutions in issue (previously the NetScaler ADC and Gateway) are used to manage application-aware traffic and provide secure remote access, respectively. According to the alert, the federated working specialist released a security patch on Tuesday for the CVE-2021-22955 vulnerability, which permits unauthenticated denial of service (DoS) due to uncontrolled resource consumption. 

Citrix also fixed an issue of a lower severity that was caused by unmanaged resource usage. It affects both prior Citrix SD-WAN WANOP Edition products and the Citrix SD-WAN WANOP Edition appliance. The latter offers optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.

The second vulnerability, labelled CVE-2021-22956, allows for temporary interruption of a device's management GUI; the Nitro API for configuring and monitoring NetScaler appliances; and remote procedure call (RPC) communication, which is what facilitates Citrix's distributed computing in Citrix settings. 

In terms of exploitation's effect, all three products are extensively used over the world, with Gateway and ADC deployed in at least 80,000 firms in 158 countries as of early 2020, as per Positive Technologies analysis at the time. 

Any of the equipment being down could hinder remote and branch access to corporate assets and the blocking of cloud and virtual assets and apps in general. All of this makes them a tempting target for cybercriminals, and the Citrix ADC and Gateway, in particular, are far from novices when it comes to severe vulnerabilities. 

Though Citrix did not provide technical information on the new vulnerabilities, VulnDB stated on Wednesday that “the exploitability is told to be difficult. The attack can only be initiated within the local network. The exploitation doesn’t require any form of authentication.” 

Despite Citrix's internal classification of "critical," it gave the issue a severity score of 5.1 out of 10. The site stated that vulnerabilities are worth up to $5,000, and that "manipulation with an unknown input leads in a denial of service vulnerability...This will have a negative influence on availability." 

The vulnerabilities, according to the vendor, impact the following supported versions:

Citrix ADC and Citrix Gateway (CVE-2021-22955 and CVE-2021-22956): 

• Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 

• Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 

• Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 

• Citrix ADC 12.1-FIPS before 12.1-55.257 

Citrix SD-WAN WANOP Edition (CVE-2021-22956): 

• Models 4000-WO, 4100-WO, 5000-WO and 5100-WO 

• Version 11.4 before 11.4.2 

• Version 10.2 before 10.2.9c 

• The WANOP feature of SD-WAN Premium Edition is not impacted. 

Appliances have to be set up as a VPN or AAA virtual server to be vulnerable to the initial Citrix ADC and Gateway flaw. In the case of the second bug, appliances must have management interface access to NSIP or SNIP. Customers that use Citrix-managed cloud services will not be impacted.