A vulnerability has been identified in Citrix Access Gateway Standard Edition that could allow an unauthenticated user to gain access to network resources.
This vulnerability has been assigned the following CVE number:
• CVE-2013-2263
This vulnerability affects all 5.0.x versions of the Citrix Access Gateway Standard Edition appliance firmware earlier than 5.0.4.223524.
Citrix Access Gateway Standard Edition versions 4.5.x and 4.6.x are not affected by this vulnerability.
What Customers Should Do
A patch for version 5.0.4 of the Citrix Access Gateway Standard Edition firmware has been released to address this vulnerability. Citrix strongly recommends that all customers using affected versions of Citrix Access Gateway Standard Edition apply this patch to their appliances as soon as possible.
This patch can be found at the following location under the Appliance Firmware section (you will need to login with your MyCitrix ID):
http://www.citrix.com/downloads/netscaler-access-gateway/product-software/access-gateway-504.html
Acknowledgements
Citrix thanks Ben Williams, David Middlehurst and James Eaton-Lee of NCCGroup (http://www.nccgroup.com) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Important Note(s) about This Maintenance Release
- This maintenance release updates Access Gateway 5.0.4 only. If you are running an earlier version of Access Gateway, you must upgrade to version 5.0.4 to install this patch.
- This maintenance release replaces all previous released patches.
Downloading and Installing This Maintenance Release
You can install this maintenance release on the Access Gateway appliance by using the Access Gateway Management Console.
To download this maintenance release
- Go to the Citrix Web site, click My Citrix, and log on.
- At the top of the Web page, click Downloads.
- In Search Downloads by Product, select Citrix Access Gateway.
- Under Product Software, click the link that matches your edition and software release version to reach the download page.
- Click Get Software to start the download and save it to a folder on your computer.
To install this maintenance release on the Access Gateway appliance
- In the Access Gateway Management Console, click Snapshots.
- In the Software Releases and Configuration Snapshots panel, next to Software Releases, click Import.
- Navigate to the software upgrade file you saved on your computer and then click Open.
The software installation starts.
After completing the software installation, the new version appears in the Software Releases panel. To make the new version active, select the version, click Migrate and then restart Access Gateway.
Sources:
Vulnerability: http://support.citrix.com/article/CTX136623
CAG 5.0.4 patch: http://support.citrix.com/article/CTX136855