Citrix rolls out patches for critical ADC vulnerability exploited in the wild
Citrix has released patches to permanently resolve a vulnerability in ADC software that is being actively exploited in the wild.
The vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) — formerly known as NetScaler ADC — and Citrix Gateway, formerly known as NetScaler Gateway, as well as Citrix SD-WAN WANOP.
“The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX),” the company says. “Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SDWAN, specifically Citrix SDWAN WANOP edition. Citrix SDWAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status.”
Disclosed on December 17 and issued a CVSS score of 9.8, the critical path traversal vulnerability can be weaponized to launch arbitrary code execution attacks without the need for authentication.
At the time of its reveal, the security flaw had no patch available and it was thought that up to 80,000 organizations in 159 countries were at risk according to Positive Technologies’ Mikhail Klyuchnikov, who originally reported the issue.
Mitigation steps were recommended by Citrix until a fix was made available.
Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and NetScaler Gateway version 12.1, Citrix ADC and NetScaler Gateway version 12.0, Citrix ADC and NetScaler Gateway version 11.1, and Citrix NetScaler ADC and NetScaler Gateway version 10.5, all supported builds, are impacted, alongside SD-WAN WANOP product versions 10.2.6 and 11.0.3.
It did not take long for cyberattackers to begin scanning the Internet for vulnerable Citrix instances. In the first week or so in January, honeypots revealed a spike in Citrix scans, and by January 11, exploit code was made public on GitHub that made attacking vulnerable machines a trivial affair.
According to FireEye, an attacker working behind a Tor barrier has also been deploying a payload on vulnerable instances called NotRobin.
This spurred Citrix on to release a timeline of anticipated fixes, with patches expected for versions 13 and 12.1 on January 27; 10.5 on January 31, and 12 & 11.1 on January 20.
Fixes for ADC versions 12 and 11.1 have landed a day early. In a security advisory, the software company urged customers to “immediately” install the patches, noting that if multiple versions of ADC are in use, IT admins need to keep an eye on fixes being released for different builds.
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated” Citrix said. “It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 220.127.116.11 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 18.104.22.168 to install the security vulnerability fixes.”
In addition, Citrix has narrowed the wait time for fixes to smooth over the bug in other versions. Citrix ADC patches for version 12.1, 13, and 10.5 are now expected on January 24, and a Citrix SD-WAN WANOP fix is also expected on the same day.
Citrix has also provided a verification tool for IT admins to check that fixes have been applied properly.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0