Citrix Application Delivery Management service

Remediate vulnerabilities for CVE-2020-8300

In the Citrix ADM security advisory dashboard, under Current CVEs > <number of> ADC instances are impacted by CVEs, you can see all the instances vulnerable due to this specific CVE. To check the details of the CVE-2020-8300 impacted instances, select CVE-2020-8300 and click View Affected Instances.

Security advisory dashboard for CVE-2020-8300

Note

For more information about the security advisory dashboard see, Security Advisory.

The <number of> ADC instances impacted by CVEs window appears. Here you see the count and details of the ADC instances impacted by CVE-2020-8300.

Instances impacted by CVE-2020-8300

Remediate CVE-2020-8300

For CVE-2020-8300-impacted ADC instances, the remediation is a two-step process. In the GUI, under Current CVEs > ADC instances are impacted by CVEs, you can see step 1 and 2.

Remediation steps

The two steps include:

  1. Upgrading the vulnerable ADC instances to a release and build that has the fix.
  2. Applying the required configuration commands using the customizable built-in configuration template in configuration jobs. Follow this step for each vulnerable ADC one at a time and include all SAML actions and SAML profiles for that ADC.

Under Current CVEs> ADC instances impacted by CVEs, you see two separate workflows for this 2-step remediation process: which are Proceed to upgrade workflow and Proceed to configuration job workflow.

Remediation workflows

Step 1: Upgrade the vulnerable ADC instances

To upgrade the vulnerable instances, select the instances and click Proceed to upgrade workflow. The upgrade workflow opens with the vulnerable ADC instances already populated.

Remediation step 1

For more information on how to use ADM to upgrade ADC instances, see Create an ADC upgrade job.

Note

This step can be done at once for all the vulnerable ADC instances.

Step 2: Apply configuration commands

After you’ve upgraded the impacted instances, in the <number of> ADC instances impacted by CVEs window, select one instance impacted by CVE-2020-8300 and click Proceed to configuration job workflow. The workflow includes the following steps.

  1. Customizing the configuration.
  2. Reviewing the auto-populated impacted instances.
  3. Specifying inputs for variables for the job.
  4. Reviewing the final config with variable inputs populated.
  5. Running the job.

Step 1: Select configuration

In the configuration job workflow, the built-in configuration template auto-populates under Select configuration.

Select config

Run a separate configuration job for each impacted ADC instance, one at a time, and include all SAML actions and SAML profiles for that ADC. For example, if you have two vulnerable ADC instances each having two SAML actions and two SAML profiles, you must run this configuration job two times. One time per ADC covering all its SAML actions and SAML profiles.

ADC 1 ADC2
Job 1: two SAML actions +two SAML profiles Job 2: two SAML actions +two SAML profiles

Give the job a name and customize the template for the following specifications. The built-in configuration template is only an outline or base template. Customize the template based on your deployment for the following requirements:

a. SAML actions and their associated domains

Depending on the number of SAML actions you have in your deployment, you must replicate lines 1–3 and customize the domains for each SAML action.

Customize SAML action

For example, if you have two SAML actions, repeat lines 1–3 two times and accordingly customize the variable definitions for each SAML action.

And if you have N domains for a SAML action, you must manually type the line bind patset $saml_action_patset$ “$saml_action_domain1$” multiple times to ensure that line appears N times for that SAML action. And change the following variable definition names:

  • saml_action_patset: is the config template variable, and it represents the value of name of the pattern set (patset) for the SAML action. You can specify the real value in step 3 of the config job workflow. See the section Step 3: Specify variable values in this doc.

  • saml_action_domain1: is the config template variable, and it represents the domain name for that specific SAML action. You can specify the real value in step 3, of the config job workflow. See the section Step 3: Specify variable values in this doc.

To find all the SAML actions for a device, run the command show samlaction.

Find SAML action

b. SAML profiles and their associated URLs

Depending on the number of SAML profiles you have in your deployment, replicate lines 4–6. Customize the URLs for each SAML profile.

Customize SAML profile

For example, if you have two SAML profiles, manually enter lines 4–6 two times and accordingly customize the variable definitions for each SAML action.

And if you have N domains for a SAML action, you must manually type the line bind patset $saml_profile_patset$ “$saml_profile_url1$” multiple times to ensure that line appears N times for that SAML profile. And change the following variable definition names:

  • saml_profile_patset: is the config template variable, and it represents the value of the name of the pattern set (patset) for the SAML profile. You can specify the real value in step 3, of the config job workflow. See the section Step 3: Specify variable values in this document.

  • saml_profile_url1: is the config template variable, and it represents the domain name for that specific SAML profile. You can specify the real value in step 3, of the config job workflow. See the section Step 3: Specify variable values in this document.

To find all the SAM profiles for a device, run the command show samlidpProfile.

Find SAML profile

Step 2: Select the instance

The impacted instance is auto-populated under Select Instances. Select the instance and click Next.

Select instance

Step 3: Specify variable values

Enter the variable values.

  • saml_action_patset: add a name for the SAML action
  • saml_action_domain1: enter a domain in the format https://<example1.com>/
  • saml_action_name: enter the same of the SAML action for which you are configuring the job
  • saml_profile_patset: add a name for the SAML profile
  • saml_profile_url1: enter the URL is this format https://<example2.com>/cgi/samlauth
  • saml_profile_name: enter the same of the SAML profile for which you are configuring the job

Note

For URLs, the extension is not always cgi/samlauth. It depends on what third-party authorization you have, and accordingly you must put the extension.

Specify variables

Step 4: Preview the configuration

Previews the variable values having been inserted in the config and click Next.

Step 5: Run the job

Click Finish to run the configuration job.

Run configuration job

After the job is run, it appears under Infrastructure > Configuration > Configuration Jobs.

After completing the two remediation steps for all vulnerable ADCs, you can run an on-demand scan to see the revised security posture.

Points to note for ADM Express account

The ADM Express account has limited features, which include limitations of two configuration jobs only. To know more about Citrix ADM Express account, see Manage Citrix ADM resources using Express account. For CVE-2020-8300 remediation, you must run as many configuration jobs as the number of your vulnerable ADC instances. So, if you have an Express account and need to run more than two configuration jobs, follow this workaround.

Workaround: Run two configuration jobs for two vulnerable ADC instances and then delete both the jobs to continue running the next two jobs for the next two vulnerable ADC instances. Continue this until you have covered all vulnerable instances. Before deleting the jobs, you can download the report for future reference. To download the report, under Network > Jobs, select the jobs and click Download under Actions.

Example: If you have six vulnerable ADC instances, run two configuration jobs on two vulnerable instances respectively and then delete both the configuration jobs. Repeat this step another two times. At the end, you would have run six config jobs for six ADC instances respectively. In the ADM UI under Infrastructure > Jobs, you see only the last two configuration jobs.

Scenario

In this scenario, three ADC instances are vulnerable to CVE-2020-8300 and you need to remediate all the instances. Follow these steps:

  1. Upgrade all the three ADC instances by following the steps given in the “Upgrade an instance” section in this document.

  2. Apply config patch to one ADC at a time, using the configuration job workflow. See the steps given in the “Apply configuration commands” section in this document.

The vulnerable ADC 1 has the following configuration:

Two SAML actions Two SAML profiles
SAML action 1 has one domain, and SAML action 2 has two domains SAML profile 1 has one URL, and SAML profile 2 has two URLs

Start a configuration job workflow

Select ADC 1 and click Proceed to configuration job workflow. The built-in template auto-populates. Next, give a job name and customize the template according to the given configuration.

Customize template for given scenario

The following tables list the variable definitions for customized parameters.

Table 1. Variable definitions for SAML action

ADC configuration Variable definition for patset Variable definition for SAML action name Variable definition for domain
SAML action 1 has one domain saml_action_patset1 saml_action_name1 saml_action_domain1
SAML action 2 has two domains saml_action_patset2 saml_action_name2 saml_action_domain2, saml_action_domain3

Table 2. Variable definitions for SAML profile

ADC configuration Variable definition for patset Variable definition for SAML profile name Variable definition for URL
SAML profile 1 has one URL saml_profile_patset1 saml_profile_name1 saml_profile_url1
SAML profile 2 has two URLs saml_profile_patset2 saml_profile_name2 saml_profile_url2, saml_profile_url3

Under Select Instances, select ADC 1 and click Next. The Specify Variable Values window appears. In this step, you need to provide values for all the variables defined in the previous step.

Specify variable scenario

Next, review the variables.

Click Next and then click Finish to run the job.

After the job is run, it appears under Infrastructure > Configuration > Configuration Jobs.

After completing the two remediation steps for ADC1, follow the same steps to remediate ADC 2 and ADC 3. After remediation is complete, you can run an on-demand scan to see the revised security posture.

Training video

See the following training video to learn more.

Citrix ADM service security advisory can help you identify and remediate CVE-2020-8300.

Remediate vulnerabilities for CVE-2020-8300