Citrix DDOS bug leaves networks vulnerable

Citrix patched a critical bug in its Application Delivery Controller and Gateway software that left networks open to DDOS attacks. It also fixed a less-severe SD-WAN WANOP bug.

Citrix has discovered a critical vulnerability affecting its Application Delivery Controller and Gateway products, which could be exploited to deny service to entire corporate networks.

This week, Citrix patched both that flaw and a less-severe vulnerability that affected the ADC and Gateway and the company's SD-WAN WANOP appliance used to optimize WAN links.

The ADC software manages application delivery and load balancing, while Gateway is an on-prem service that provides remote access to Citrix resources. The bug, related to uncontrolled resource consumption, could result in an unauthorized distributed denial-of-service attack if exploited. However, only appliances configured as a VPN (Gateway) or AAA virtual server are at risk.

SD-WAN WANOP appliances optimize WAN links to improve responsiveness and throughput. The less severe bug, which was also related to uncontrolled resource consumption, could temporarily disrupt communications between Management GUI, Nitro API, and RPC. Only WANOP devices of edition 11.4 before 11.4.2 or edition 10.2 before 10.2.9c are at risk.

Although Citrix itself rated the vulnerability as critical, the Vulnerability Database (VULDB) rated the bug's severity at only a 5.1 out of a possible 10, pointing out that the bug would be difficult to exploit.

"The attack can only be initiated within the local network. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available," VULDB said. The site rated the severity of the bug affecting SD-WAN WANOP at a 3.

Citrix encourages customers to install the relevant updates and reconfigure their modules as soon as possible.

The ADC and Gateway have been exposed to security risks before. Citrix released a patch for the products in January 2020 after discovering that a remote, unauthenticated attacker could perform arbitrary code execution.

Madelaine Millar is a news writer covering network technology at TechTarget. She has previously written about science and technology for MIT's Lincoln Laboratory and the Khoury College of Computer Science, as well as covering community news for Boston Globe Media. She is a graduate of Northeastern University, and originally hails from Missoula, Mont.

Dig Deeper on Threats and vulnerabilities