SPOT Report - Citrix ADC & Gateway Vulnerability

By

Overview

On December 23, 2019, a critical vulnerability was disclosed by Positive Technologies in the Citrix ADC & Citrix Gateway applications, formerly known as NetScaler ADC and NetScaler Gateway. If this vulnerability is left unmitigated it could allow an unauthenticated attacker to perform arbitrary code execution. While the specifics of the vulnerability have not been disclosed the vulnerability has been assigned to CVE-2019-19781 and Citrix has provided mitigation for impacted systems.

This vulnerability affects all supported platforms and product versions:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Detections

Qualys and Tenable are monitoring and will be releasing detections for them soon. Qualys is monitoring theirs through QID 372305 and will be released as soon as it is available. Tenable has made no announcements when but will have Plugin IDs for it.

If you are a Vulnerability Management customer with deepwatch, please contact your Vulnerability Management SME in order to arrange a scan and identify any vulnerable systems. The Vulnerability Management SME will assist in developing a mitigation strategy and notify you when identifications are officially released.

Recommendations

Citrix stated in their advisory they “strongly urge affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released.” Mitigation steps are outlined on Citrix’s website based on the configuration of the Citrix ADC or Citrix Gateway device and located at link below:

https://support.citrix.com/article/CTX267679

Update

Permanent fixes have been released for Citrix ADC 11.1 and 12.0, available on Citrix’s support site, but other versions of Citrix devices are scheduled for release over the final few weeks in January:

Citrix ADC and Citrix Gateway
Version Refresh Build Release Date
11.1 11.1.63.15 January 19, 2020
12.0 12.0.63.13 January 19, 2020
12.1 12.1.55.x January 24, 2020
10.5 10.5.70.x January 24, 2020
13.0 13.0.47.x January 24, 2020
Citrix SD-WAN WANOP
Release Citrix ADC Release Release Date
10.2.6 11.1.51.615 January 24, 2020
11.0.3 11.1.51.615 January 24, 2020

 

On January 10, 2020 researchers at TrustedSec stated they have a “100% fully working remote code execution exploit.” Trusted Sec reports that this code can directly attack any ADC server in an unauthenticated manner. TrustedSec has uploaded their exploit code to their GitHub account because as they stated, “other researchers have published their code first.”

TrustedSec also published fairly extensive remote code execution forensics to their blog on January 10, 2020.

Contributors

Eric Ford, Squad Analyst II

Supporting Information

Subscribe to the deepwatch Insider Blog