Description of Problem
A vulnerability has been identified that impacts Citrix SD-WAN
Affected Versions:
The vulnerability affects the following supported versions of Citrix SD-WAN
-
SD-WAN Standard/Premium Editions on or after 11.4.0 and before 11.4.4.46
Summary:
SDWAN contains the vulnerability mentioned below
CVE ID | Description | Pre-requisites | CWE | CVSS |
---|---|---|---|---|
CVE-2024-2049 | If exploited, an attacker may disclose limited information from the appliance | Access to management interface |
|
6.5 |
Mitigating Factors
CVE-2024-2049 only impacts the Citrix SD-WAN management interface.
Customers may perform one of the following workarounds to reduce the risk of exploitation of this CVE.
WorkAround-1: Cloud Software Group strongly recommends that network traffic to the appliance’s management interface be separated, either physically or logically, from normal network traffic. In addition, we recommend users do not expose the management interface to the internet. Doing so significantly reduces the risk of exploitation of this issue. Please see the following ‘Best Practices for Deployment of CITRIX SD-WAN’ article for more information:
https://support.citrix.com/article/CTX228225/best-practices-for-deployment-of-citrix-sdwan.
WorkAround-2: In addition to separating the appliance’s management interface from network traffic, Cloud Software Group has created a script that can be run on the vulnerable appliance to reduce the risk of exploitation for customers who may not be able to install relevant updated versions. Customers may reach out to Support for further guidance or information on this workaround.
What Customers Should Do
Cloud Software Group recommends that affected customers of Citrix SD-WAN install the relevant updated versions as soon as their upgrade schedule permits.
Citrix SD-WAN versions that contain the fixes are:
SD-WAN Standard/Premium Editions 11.4.4.46 and later releases
As a reminder, Cloud Software Group has announced a Notice of Status Change for the Citrix SD-WAN product line to explain the Citrix SD-WAN life cycle management milestones as well as important information regarding dates and options during this period: https://support.citrix.com/article/CTX465114/notice-of-change-announcement-for-citrix-citrix-sdwan
What Citrix is Doing
Obtaining Support on This Issue
Subscribe to Receive Alerts
Reporting Security Vulnerabilities to Citrix
Disclaimer
Changelog
2024-03-12 T 16:00:00Z | Initial publication |