Pierluigi Paganini January 20, 2020

Citrix addressed the actively exploited CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

Citrix has released security patches to address actively exploited CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

While security researchers were warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerability, many experts were announcing the availability online of proof-of-concept exploit code ([1, 2]).

Researchers at MDSsec published technical details of the vulnerability along with a video that shows the exploit they have developed, but they decided to not release it to avoid miscreants use it in the wild.

In December Citrix disclosed the critical CVE-2019-19781 vulnerability and explained that it could be exploited by attackers to access company networks.

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

Now Citrix is announcing then permanent fixes for the above remote code execution vulnerability.

“Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here,” reads a post published by Citrix’s CISO Fermin J. Serna.

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.”

Citrix urges the upgrade for all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15. It is also necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes. 

The company also announced that it has postponed the release of permanent fixes for other ADC versions and for SD-WAN WANOP, below the expected release dates:

• ADC version 12.1, now January 24
• ADC version 13 and ADC version 10.5, now January 24
• SD-WAN WANOP fixes, now January 24

Once applied mitigations, it is possible to use a tool released by Citrix to ensure the mitigations have successfully been applied.

“While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible.” continues the post.

Security experts are observing a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye recently noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

Pierluigi Paganini

(SecurityAffairs – Citrix servers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]