CVE-2020-8196
Published: 10 July 2020
Summary
CVE-2020-8196 is a medium-severity Improper Access Control (CWE-284) vulnerability in Citrix Application Delivery Controller Firmware. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-8196 is an improper access control vulnerability, also referenced under CWE-284 and CWE-287, that affects Citrix ADC and Citrix Gateway versions prior to 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14, and 10.5-70.18, as well as Citrix SD-WAN WAN-OP versions prior to 11.1.1a, 11.0.3d, and 10.2.7. The flaw permits limited information disclosure and carries a CVSS 3.1 base score of 4.3 reflecting network attack vector, low complexity, and low privileges required.
Low-privileged authenticated users can exploit the issue over the network to obtain restricted information that should otherwise be inaccessible, as demonstrated by public proof-of-concept material describing local file inclusion behavior in the affected appliances.
Citrix advisory CTX276688 addresses the affected products and provides updated builds that resolve the access control weakness; organizations are advised to apply the listed version upgrades. The vulnerability is also catalogued by CISA among actively exploited issues, indicating confirmed real-world targeting of unpatched Citrix deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-29073
Vulnerability details
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access control policies to block low-privileged users from obtaining restricted information on the Citrix appliance.
Ensures users operate with the minimum set of privileges required, preventing the limited information disclosure granted to low-privileged accounts.
Enforces information flow policies between security domains to stop unauthorized disclosure of restricted data over the network.