[German]Citrix has released first firmware updates for Citrix ADC/Netscaler 11.1/12.0 yesterday, intended to fix the CVE-2019-19781 vulnerability.
Citrix (NetScaler) ADC is a load balancer and monitoring system. The Unified Gateway enables remote access to internal applications. This can include desktop applications as well as intranet or web applications.
Citrix vulnerability CVE-2019-19781
A vulnerability (CVE-2019-19781) exists in the Citrix Application Delivery Controller (ADC), formerly NetScaler ADC, and in Citrix Gateway, formerly NetScaler Gateway, that could allow attackers to execute unwanted code. If this vulnerability is exploited, attackers can gain direct access to the corporate local network from the Internet. This attack does not require access to any accounts and therefore can be executed by any remote attacker.
I first reported the vulnerability in teh blog post Vulnerability in Citrix Apps put companies at risk before Christmas 2019. Citrix had published a workaround that allowed administrators to prevent or hinder the exploitation of the vulnerability. However, many administrators had failed to do so. So in January 2020 there were successful attacks in corporate networks via this vulnerability. Since Proof of Concept (PoC) exploits became known, attacks on Citrix Netscaler honeypots have been increasing. Citrix had announced updates for affected products between January 20 and 31, 2020. The blog posts linked at the end of the article contain information on this topic.
Updates for Citrix ADC/Netscaler 11.1/12.0
I already read it this morning at Bleeping Computer, first updates for the Citrix ADC/Netscaler 11.1/12.0 have already been released yesterday. According to the following tweet the release was sometime tonight (German time).
Important updates on the #CitrixADC, Citrix Gateway vulnerability: (1) Permanent fixes for ADC v11.1 & 12. (2) We have moved forward the availability of permanent fixes for other ADC versions & SD-WAN WANOP from previous target dates. #CVE201919781https://t.co/20c9u3oh8h
— Citrix (@citrix) January 19, 2020
Citrix has also published a blog entry on 19 January 2020 entitled Vulnerability Update: First permanent fixes available, timeline accelerated. Permanent fixes for ADC versions 11.1 and 12.0 are available for download here and here. Citrix says:
- These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
- It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 188.8.131.52 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 184.108.40.206 to install the security vulnerability fixes. .
Citrix has brought forward the availability of permanent fixes for other ADC versions and for SD-WAN WANOP:
- ADC version 12.1, now January 24
- ADC version 13 and ADC version 10.5, now January 24
- SD-WAN WANOP fixes, now January 24
You can find more details in the Citrix blog post. It lists the release dates and the versions for the updates. Administrators should install the updates immediately.
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)