09 June, 2021 #Citrix

How to Citrix ADC: CVE-2020-8299 & CVE-2020-8300

Yesterday two new CVE’s were published regarding the Citrix ADC (Netscaler) / SD-WAN appliances.
This guide is to help you power through the fix, as I noticed the syntax can be a bit intimidating at first sight.



CVE-2020-8299

This one is fixed if you meet any the following Firmware versions:

  • Citrix ADC and Citrix Gateway 13.0-76.29 and later releases of 13.0 
  • Citrix ADC and Citrix Gateway 12.1-61.18 and later releases of 12.1 
  • Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1 
  • Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS 
  • Citrix SD-WAN WANOP 11.4.0 and later releases of 11.4 
  • Citrix SD-WAN WANOP 11.3.2 and later releases of 11.3 
  • Citrix SD-WAN WANOP 11.3.1a and later releases of 11.3 
  • Citrix SD-WAN WANOP 11.2.3a and later releases of 11.2 
  • Citrix SD-WAN WANOP 11.1.2c and later releases of 11.1 
  • Citrix SD-WAN WANOP 10.2.9a and later releases of 10.2 

Is your firmware version older to the ones in the list? Make sure to upgrade and your ADC/SD-WAN will no longer be affected.
Not sure how to do that? Please see my ‘Update your Citrix ADC’ blogpost:

CVE-2020-8300

This CVE affects Citrix ADC appliances that utilize SAML for authentication through either SAML IDP or SAML SP.

To fix CVE-2020-8300 you need to address the two following conditions
1.Have the right version for your Citrix ADC
2.Have the proper relayStateRule expression in place

Firmare Version

The following supported versions of Citrix ADC and Citrix Gateway address CVE-2020-8300, a High severity vulnerability.  

  • Citrix ADC and Citrix Gateway 13.0-82.41 and later releases of 13.0 
  • Citrix ADC and NetScaler Gateway ADC 12.1-62.23 and later releases of 12.1 
  • Citrix ADC and NetScaler Gateway 11.1-65.20 and later releases of 11.1 
  • Citrix ADC 12.1-FIPS 12.1-55.238 and later releases of 12.1-FIPS 

Not in the list? Make sure to upgrade and your ADC/SD-WAN will no longer be affected.
Not sure how to do that? Please see my ‘Update your Citrix ADC’ blogpost:

relayStateRule Expression
 

Full documentation the RelayStateRule can be found here: https://support.citrix.com/article/CTX316577
I will help you through creating the first option (single domain) through the GUI.
First we need to determine what relayStateRule  domain you need to add.

Update: Please Read

The below syntax (Single/Multi Domain) is Citrix Recommended as seen in the KB article.
Multiple customers reported issues with this Syntax (white page, black text; Relay not allowed…)
After communication/troubleshooting with Citrix Support the following Syntax was provided.
Use this when you get the ‘Relay error’ on your ADC published page.

AAA.LOGIN.RELAYSTATE.EQ("https://portal.abc.com/") || (AAA.LOGIN.RELAYSTATE.LENGTH.EQ(0) && HTTP.REQ.HOSTNAME.EQ("portal.abc.com"))

Single Domain

I browser to mickgateway.com to login to my Citrix gateway.
Since I use a SAML on my gateway it will redirect me to Microsoft (Azure AD 🙂 ).
So before hitting the SAML authentication page I only go through mickgateway.com.
The relayStateRule needs to contain all the domains you pass-through before hitting the SAML authentication page.

My relay state rule for this single domain would need to be:

AAA.LOGIN.RELAYSTATE.EQ("https:/mickgateway.com/")

Mind the slash at the end of the domain. This is required.


Multi Domain


Now imagine I have multiple domains (e.g. applications) that are published with a domain on the ADC and have the AAA vserver for SAML bound to them.
application1.mick.com
application2.mick.com
This would also need to be added also to the same relay state but in a different manner.

First we need to create a patset with the CLI and then bind that patset to the relaystate rule.
for example:

add patset mickdomains
bind patset mickdomains "https://application1.mick.com/"
bind patset mickdomains "https://application2.mick.com/"

Then bind the patset to the relaystate like this:

AAA.LOGIN.RELAYSTATE.CONTAINS_ANY("mickdomains")

Implementation on the Policy


To implement this rule I need to do the following.

1.Open my Citrix ADC GUI and login.
2.Click on Configuration -> Citrix Gateway -> Virtual Servers -> And edit the affected gateway



3.Click on the SAML Policy

4. Hover your mouse over the shown location. 3 ‘dots’ will appear. Click this and press “Edit Server” in the context menu that pops-up.

5.Scroll down to the “Relay State Rule” tab and enter your expression there

You should be good to go now, do not forget to save your configuration.

Please mind that users that already have a SAML cookie (due to login) might have some issues loading the page when you implement this. New users have no problems. The solution is to clear the browser cache.

7 Comments on How to Citrix ADC: CVE-2020-8299 & CVE-2020-8300

  • Ashwin Reply
    15/06/2021

    Bedankt Mick,

    Helder artikel!

    • Mick Hilhorst Reply
      15/06/2021

      Graag gedaan, blij dat het je geholpen heeft!

      • Ashwin Reply
        16/06/2021

        Vandaag gebeld door de klant dat sommige toch nog de foutmelding krijgen.
        Ik ben erachter gekomen dat het probleemloos werkt zolang je maar de FDQN gebruikt zonder iet erachter.
        Dus https://portal.domein.nl , echter wordt er na succesvol inloggen door StoreFront /Citrix/Storenaam/ toegevoegd.
        En de volgende keer als een gebruiker gaat inloggen vult de browser automatisch https://portal.domein.nl/Citrix/Storenaam in en dan gaat het fout.

        De ‘/’ aan het eind in de relaystateRule zit er 100% in, ik heb het ook geprobeerd met een paternset maar ook dat helpt niet.
        Wellicht helpt het om de /Citrix/Storenaam/ via middels een rewrite rule te verwijderen. Ondertussen heb ik bij Citrix een case ingeschoten

        • Mick Hilhorst Reply
          16/06/2021

          Hi Ashwin,

          I’ll answer in english as this solution might help others too.
          The problem that you write about is that you get the relay error message when you use the provided syntax.
          You should not provide more data in the url than the domain (e.g. dont use /store/etc/etc).

          It happens to be that I had this same issue and it’s a known issue with Citrix.
          The solution is to use the following syntax, atleast that is what Citrix informed us about.

          AAA.LOGIN.RELAYSTATE.EQ(“https://portal.abc.nl/”) || (AAA.LOGIN.RELAYSTATE.LENGTH.EQ(0) && HTTP.REQ.HOSTNAME.EQ(“portal.abc.nl”))

          Replace portal.abc.nl with your domain.
          Make sure to keep the / at the end.

          Hope it helps,

          Mick

          • Ashwin
            16/06/2021

            Hi Mick,

            Thank you very very much, this solves the problem 🙂
            Also thank you for sharing the sollution.

            I’am still waiting for Citrix support….
            This morning I have upload an nstrace and support file and still waiting for them 🙁

            Ashwin

  • MK Reply
    22/06/2021

    Great. This helped us with the FIPS version released on the 8th. The was no subsequent update.

Leave a Reply to Mick Hilhorst Cancel Reply

Your email address will not be published. Required fields are marked *

You Might Be Interested In