Citrix ADC, Gateway and SD-WAN WANOP DoS

Product Citrix ADC, Gateway and SD-WAN WANOP
Severity Medium
CVE Reference CVE-2020-8246
Type Denial of Service

Description

Various Citrix systems are susceptible to a remote Denial of Service condition via malformed traffic sent to nsconfigd, which by default listens on TCP port 3010. Parsing of the unexpected traffic causes the daemon to go into an infinite loop, after which it will be restarted by the pitboss system watchdog; after 6 restarts the system will reboot.

Impact

Attackers can remotely deny access to the system or resources reliant upon it, causing a permanent outage with repeated exploitation.

Interim Workaround

Deploy network-based access controls in front of the management interface; Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. 

Permanent Workaround

Deploy updated versions of the affected components. For a table listing supported versions, refer to https://support.citrix.com/article/CTX281474.

Detailed Timeline

Date Summary 
 2020-05-19  Issue reported to vendor
 2020-05-19 Citrix response, tracking as CASE-8024
 2020-10-02  Public disclosure