Cloud Software Group Security Advisory for CVE-2024-3661
Advisory
Cloud Software Group has evaluated the impact of vulnerability CVE-2024-3661 on our products. This vulnerability may allow an attacker on the same local network as the victim to read, disrupt, or modify network traffic expected to be protected by the VPN.
Please find below the impact status:
Citrix Secure Access client for Windows
- Status: Not impacted
Citrix Secure Access client for Android
- Status: Not impacted
Citrix Secure Access client for Linux
- Status: Impacted – A fix addressing this issue will be released in an upcoming release.
Citrix Secure Access client for Mac/iOS
- Customers using MDM (Mobile Device Management):
- Status: Impacted
- Recommendation:
- Install the latest update listed below as soon as possible to reduce the risk of exploitation: 24.06.1
- AND
- set ‘EnforceRoutes’ to ‘1’ in the managed VPN configuration
- Mitigating factors/Workaround:
- Configure the settings listed below to reduce the risk of exploitation:
- set ‘EnforceRoutes’ to ‘1’ in the managed VPN configuration and Local LAN access to ‘OFF’ on the Gateway
- Customers not using MDM (Mobile Device Management):
- Status: Impacted
- Recommendation:
- Install the latest update listed below as soon as possible to reduce the risk of exploitation: 24.06.1
- Mitigating factors/Workaround:
-
- Configure the settings listed below to reduce the risk of exploitation:
- set Local LAN access to ‘OFF’ on the Gateway
- Configure the settings listed below to reduce the risk of exploitation:
-
More information
https://support.citrix.com/article/CTX677069/cloud-software-group-security-advisory-for-cve20243661
For assistance from the Kraft Kennedy team, please contact us.