[German]A vulnerability exists in the Citrix Application Delivery Controller (ADC) – formerly NetScaler ADC – and in Citrix Gateway – formerly NetScaler Gateway – that could allow attackers to execute abitrary code.
The CVE-2019-19781 vulnerability
The vulnerability CVE-2019-19781 Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution exists in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway).
Citrix (NetScaler) ADC is a load balancer and monitoring system. The Unified Gateway enables remote access to internal applications. This can include desktop applications as well as intranet or web applications.
The vulnerability classified as critical could allow a local, unprivileged attacker to execute unwanted code. Mikhail Klyuchnikov, security expert at Positive Technologies, discovered this critical vulnerability.
If this vulnerability is exploited, attackers from the Internet could gain direct access to the company’s local network. This attack does not require access to any accounts and can therefore be performed by any external attacker.
Positive Technologies experts estimate that at least 80,000 companies in 158 countries are potentially at risk. Among the top 5 countries with such organizations are the United States (the absolute leader with over 38 percent of all organizations at risk), the United Kingdom, Germany, the Netherlands and Australia
Products affected and severity
The vulnerability has been assigned the identifier CVE-2019-19781. The vendor has not yet assigned an official CVSS severity level to this vulnerability. The experts at Positive Technologies estimate the severity level to be 10 (the highest level). This vulnerability affects all supported versions of the product and all supported platforms, including
- Citrix ADC and Citrix Gateway 13.0
- Citrix ADC and NetScaler Gateway 12.1
- Citrix ADC and NetScaler Gateway 12.0
- Citrix ADC and NetScaler Gateway 11.1
- Citrix NetScaler ADC and NetScaler Gateway 10.5.
Citrix urges affected customers to update all their vulnerable appliances to an updated version of the appliance firmware (when released) in the Security Advisory dated December 17, 2019. To do so, customers can register at support.citrix.com/user/alerts, as there appear to be no updates available at this time. The support articleCTX267679 – Mitigation steps for CVE-2019-19781 explains how administrators can mitigate the vulnerability. Further guidance is available at The Register and Bleeping Computer.
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)