A safe, secure, and resilient infrastructure is the lifeline of any organization. So, the organization must track new Common Vulnerabilities and Exposures (CVEs), assess the impact of CVEs on their infrastructure. Understand the mitigation and remediation. Also, the organization must plan for mitigation and remediation to resolve the vulnerabilities.
Citrix ADM security advisory highlights Citrix CVEs putting your ADC instances at risk and recommends mitigations and remediations. You can review the recommendations and take appropriate actions, by using Citrix ADM to apply the mitigations and remediations.
Security advisory features
The following security advisory features help you protect your infrastructure.
Scan: includes default system scan and on-demand scan.
- System scan: scans all managed instances by default once a week. Citrix ADM decides the date and time of system scans, and you cannot change them.
- On-demand scan: enables you to manually scan the instances when required. If the time elapsed after the last system scan is significant, you can run an on-demand scan to assess the current security posture. Or scan after a remediation or mitigation has been applied, to assess the revised posture.
CVE impact analysis: shows the results of all CVEs impacting your infrastructure and all the ADC instances getting impacted and suggests remediation and mitigation. Use this information to apply mitigation and remediation to fix security risks.
CVE reports: stores copies of the last five scans. You can download these reports in CSV format and analyze them.
CVE repository: Gives a detailed view of all the ADC related CVEs that Citrix has announced since Dec 2019, that might impact your ADC infrastructure. You can use this view to understand the CVEs in the security advisory scope and to learn more about the CVE. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory.
Points to note
Keep the following points in mind while using security advisory:
Instances supported for CVE detection: all ADC (SDX, MPX, VPX) and Gateway.
CVEs supported: All CVEs after Dec 2019.
The detection and remediation of vulnerabilities impacting the Citrix Gateway plug-in for Windows is not supported by the Citrix ADM Security Advisory. For information on CVEs that are not supported, see Unsupported CVEs in Security Advisory.
Citrix ADM security advisory doesn’t account for any kind of feature misconfiguration while identifying the vulnerability.
Citrix ADM security advisory only supports the identification and remediation of the CVEs. It does not support identification and remediation of the security concerns that are highlighted in the Security article.
Scope of ADC, Gateway releases: The feature is limited to main builds. Security advisory does not include any special build in its scope.
Security advisory is supported in ADC instances running versions higher than 10.5 and not in instances running 10.5 and lower versions.
Security advisory is not supported in Admin partition.
Types of scan:
Version scan: This scan needs Citrix ADM to compare the version of an ADC instance with the versions and builds on which the fix is available. This version comparison helps Citrix ADM security advisory identify whether the ADC is vulnerable to the CVE. For example, if a CVE is fixed on ADC release and build xx.yy, security advisory considers all the ADC instances on builds lesser than xx.yy as vulnerable. Version scan is supported today in security advisory.
Config scan: This scan needs Citrix ADM to match a pattern specific to the CVE scan with ADC config file (nsconf). If the specific config pattern is present in the ADC ns.conf file, the instance is considered vulnerable for that CVE. This scan is typically used with version scan. Config scan is supported today in security advisory.
Custom scan: This scan needs Citrix ADM to connect with the managed ADC instance, push a script to it, and run the script. The script output helps Citrix ADM identify whether the ADC is vulnerable to the CVE. Examples include specific shell command output, specific CLI command output, certain logs, and existence or content of certain directories or files. Security Advisory also uses custom scans for multiple config patterns matches, if config scan cannot help with the same. For CVEs that require custom scans, the script runs every time your scheduled or on-demand scan runs. Learn more about the data collected and options for specific custom scans in the Security Advisory documentation for that CVE.
Scans do not impact production traffic on ADC and do not alter any ADC configuration on ADC.
ADM Security Advisory does not support mitigation. If you have applied mitigation (temporary workaround) to the ADC instance, ADM will still identify the ADC as a vulnerable ADC until you have completed remediation.
How to use the security advisory dashboard
To access the Security Advisory dashboard, from the Citrix ADM GUI, navigate to Infrastructure > Instance Advisory > Security Advisory. The dashboard shows the vulnerability status of all the ADC instances that you manage through Citrix ADM. The instances are scanned once a week; however, you can scan them anytime by clicking Scan Now.
The dashboard includes three tabs:
- Current CVEs
- Scan Log
- CVE Repository
In the Security Advisory GUI or report, all CVEs might not appear, and you might only see one CVE. As a workaround, click Scan Now to run an on-demand scan. After the scan is complete, all the CVEs in scope (approximately 15) appear in the UI or report.
On the upper-right corner of the dashboard is the settings icon, which allows you to:
Enable and disable notifications
You can receive the following notifications for Citrix ADM security advisory activities:
Email, Slack, PagerDuty, and ServiceNow notifications for scan result changes and new CVEs that are added in security advisory repository
Cloud notification for scan result changes
Configure Custom Scan Settings
You can click the Custom Scan Settings drop-down to view the additional settings check-box. You have the option of selecting the checkbox and opt out of these Security Advisory Custom scans. The impact of the CVEs that need a custom scan will not be evaluated for your ADC instances in the Security Advisory.
This tab shows the number of CVEs impacting your instances and also the instances that are impacted by CVEs. The tabs are not sequential, and as an admin, you can switch between these tabs depending on your use case.
The table showing the number of CVEs impacting the ADC instances has the following details.
CVE ID: The ID of the CVE impacting the instances.
Publication date: The date the security bulletin was released for that CVE.
Severity score: The severity type (high/medium/critical) and score. To see the score, hover over the severity type.
Vulnerability type: The type of vulnerability for this CVE.
Affected ADC instances: The instance count that the CVE ID is impacting. On hover over, the list of ADC instances appears.
Remediation: The available remediations, which are upgrading the instance (usually) or applying configuration packs.
The same instance can be impacted by multiple CVEs. This table helps you see how many instances one particular CVE or multiple selected CVEs are impacting. To check the IP address of the impacted instance, hover over ADC Details under Affected ADC Instances. To check the details of the impacted instance, click View Affected Instances at the bottom of the table. You can also add or remove columns in the table by clicking the plus sign.
In this screen the number of CVEs impacting your instances is 14 CVEs and the instances that are impacted by these CVEs is one.
<number of> ADC instances are impacted by CVEs tab shows you all the affected Citrix ADM ADC instances. The table shows the following details:
- ADC IP address
- Host name
- ADC model number
- State of the ADC
- Software version and build
- List of CVEs impacting the ADC.
In the following screen capture, one ADC instance is impacted. You add or remove any of these columns according to your need, by clicking the + sign.
To fix the vulnerability issue, select the ADC instance and apply the recommended remediation. Most of the CVEs need upgrade as a remediation, while others need upgrade and an additional step as remediation.
For CVE-2020-8300 remediation, see Remediate vulnerabilities for CVE-2020-8300.
For CVE-2021-22927 and CVE-2021-22920, see Remediate vulnerabilities for CVE-2021-22927 and CVE-2021-22920.
For CVE CVE-2021-22956, see Identify and remediate vulnerabilities for CVE-2021-22956
For CVE CVE-2022-27509, see Remediate vulnerabilities for CVE-2022-27509
If your ADC instances have customizations, see Upgrade considerations for customized ADC configurations before planning ADC upgrade.
Upgrade: You can upgrade the vulnerable ADC instances to a release and build that has the fix. This detail can be seen in the remediation column. To upgrade, select the instance and then click Proceed to upgrade workflow. In the upgrade workflow, the vulnerable ADC is auto-populated as the target ADC.
The releases 12.0, 11,0, 10.5 and lower are already end of life (EOL). If your ADC instances are running on any of these releases, upgrade to a supported release.
The upgrade workflow starts. For more information on how to use Citrix ADM to upgrade ADC instances, see Create an ADC upgrade job.
The release and build to which you want to upgrade is at your discretion. See the advice under the remediation column to know which release and builds have the security fix. And accordingly select a supported release and build, which has not reached end of life yet.
The tab shows reports of the last five scans, which include both default system scans and on-demand user-initiated scans. You can download the report of each scan in CSV format. If an on-demand scan is in progress, you can see the completion status here. If any scan has failed, the status indicates that.
This tab includes the latest information of all CVEs from December 2019, along with the following details:
- CVE IDs
- Vulnerability type
- Publication date
- Severity level
- Links to security bulletins
The security advisory shows when the instances were last scanned and when the next schedule is due. You can also scan the instances anytime, according to your need. Click Scan Now to get the latest security report of your instance. Citrix ADM takes a few minutes to complete the scan.
Once scanning is complete, the revised security details appears in the security advisory GUI. You can also find the report under Scan Log, which you can also download.
Scan Log shows the logs of only the last five scans, which can be both scheduled or on demand.
As an admin, you receive Citrix Cloud notifications, which tell how many ADC instances are vulnerable. To see the notifications, click the bell icon on the upper-right corner of the Citrix ADM GUI.