SPOT Report – Citrix ADC & Gateway Vulnerability
By Eric Ford
On December 23, 2019, a critical vulnerability was disclosed by Positive Technologies in the Citrix ADC & Citrix Gateway applications, formerly known as NetScaler ADC and NetScaler Gateway. If this vulnerability is left unmitigated it could allow an unauthenticated attacker to perform arbitrary code execution. While the specifics of the vulnerability have not been disclosed the vulnerability has been assigned to CVE-2019-19781 and Citrix has provided mitigation for impacted systems.
This vulnerability affects all supported platforms and product versions:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Qualys and Tenable are monitoring and will be releasing detections for them soon. Qualys is monitoring theirs through QID 372305 and will be released as soon as it is available. Tenable has made no announcements when but will have Plugin IDs for it.
If you are a Vulnerability Management customer with Deepwatch, please contact your Vulnerability Management SME in order to arrange a scan and identify any vulnerable systems. The Vulnerability Management SME will assist in developing a mitigation strategy and notify you when identifications are officially released.
Citrix stated in their advisory they “strongly urge affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released.” Mitigation steps are outlined on Citrix’s website based on the configuration of the Citrix ADC or Citrix Gateway device and located at link below:
Permanent fixes have been released for Citrix ADC 11.1 and 12.0, available on Citrix’s support site, but other versions of Citrix devices are scheduled for release over the final few weeks in January:
|Citrix ADC and Citrix Gateway|
|Version||Refresh Build||Release Date|
|11.1||220.127.116.11||January 19, 2020|
|12.0||18.104.22.168||January 19, 2020|
|12.1||12.1.55.x||January 24, 2020|
|10.5||10.5.70.x||January 24, 2020|
|13.0||13.0.47.x||January 24, 2020|
|Citrix SD-WAN WANOP|
|Release||Citrix ADC Release||Release Date|
|10.2.6||22.214.171.1245||January 24, 2020|
|11.0.3||126.96.36.1995||January 24, 2020|
On January 10, 2020 researchers at TrustedSec stated they have a “100% fully working remote code execution exploit.” Trusted Sec reports that this code can directly attack any ADC server in an unauthenticated manner. TrustedSec has uploaded their exploit code to their GitHub account because as they stated, “other researchers have published their code first.”
TrustedSec also published fairly extensive remote code execution forensics to their blog on January 10, 2020.
Eric Ford, Squad Analyst II