Citrix ADC, Gateway, and SD-WAN WAN-OP Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in Citrix ADC, Citrix Gateway, and certain Citrix SD-WAN WAN-OP appliance models. This vulnerability affects versions prior to Citrix ADC and Citrix Gateway 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, 10.5-70.18, as well as Citrix SD-WAN WAN-OP versions prior to 11.1.1a, 11.0.3d and 10.2.7. The issue allows unauthenticated access to specific URL endpoints, but exploitation requires access to the NetScaler IP (NSIP) management interface.

Impact

Exploitation of this vulnerability could lead to unauthorized access to management interface URL endpoints, potentially allowing an unauthenticated user to compromise the system.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'pcidss/report' endpoint with randomized 'X-NITRO-USER' and 'X-NITRO-PASS' headers. If the response indicates a successful session creation, the 'rand' value can be extracted and used to access files through the 'rapi/filedownload' endpoint, bypassing authorization checks.

Remediation

Citrix has released patches for all supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP. Users are advised to update to the latest versions. Instructions for downloading the updates are available on the Citrix website.