A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway has been patched by Citrix. If exploited, the vulnerability could allow an unauthenticated user to access a company’s applications and remotely execute arbitrary code on a company’s local network.
The vulnerability – CVE-2019-19781 – affects all versions of the Citrix Application Delivery Controller and Citrix Gateway on all platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and Citrix NetScaler ADC and NetScaler Gateway 10.5.
The vulnerable Citrix applications are extensively used in corporate networks. It has been estimated that globally, more than 80,000 businesses in 138 countries are at risk of DDoS attacks, malware infections, phishing and cryptocurrency mining attacks due to the vulnerability.
The flaw was identified by Mikhail Klyuchnikov, director of the security audit department at Positive Technologies, who reported the flaw to Citrix in early December. Citrix responded quickly and issued mitigations that could be applied to reduce the risk of exploitation and a patch has now been released.
“Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the internet,” said Serebryannikov. “Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”
The flaw has existed since 2014 so it is possible that it has already been exploited. Businesses not only need to apply the patch as soon as possible, they also need to scan for existing exploitations and infrastructure compromises.
If the patch cannot be applied immediately, businesses need to make configuration changes to the standalone system to create a responder action and policy. The configuration changes also need to apply to the management interfaces, according to Citrix. Details of the mitigations can be found here.