Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
12.24.19

SPOT Report – Citrix ADC & Gateway Vulnerability

By Eric Ford, 

Overview

On December 23, 2019, a critical vulnerability was disclosed by Positive Technologies in the Citrix ADC & Citrix Gateway applications, formerly known as NetScaler ADC and NetScaler Gateway. If this vulnerability is left unmitigated it could allow an unauthenticated attacker to perform arbitrary code execution. While the specifics of the vulnerability have not been disclosed the vulnerability has been assigned to CVE-2019-19781 and Citrix has provided mitigation for impacted systems.

This vulnerability affects all supported platforms and product versions:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Detections

Qualys and Tenable are monitoring and will be releasing detections for them soon. Qualys is monitoring theirs through QID 372305 and will be released as soon as it is available. Tenable has made no announcements when but will have Plugin IDs for it.

If you are a Vulnerability Management customer with Deepwatch, please contact your Vulnerability Management SME in order to arrange a scan and identify any vulnerable systems. The Vulnerability Management SME will assist in developing a mitigation strategy and notify you when identifications are officially released.

Recommendations

Citrix stated in their advisory they “strongly urge affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released.” Mitigation steps are outlined on Citrix’s website based on the configuration of the Citrix ADC or Citrix Gateway device and located at link below:

https://support.citrix.com/article/CTX267679

Update

Permanent fixes have been released for Citrix ADC 11.1 and 12.0, available on Citrix’s support site, but other versions of Citrix devices are scheduled for release over the final few weeks in January:

Citrix ADC and Citrix Gateway
Version Refresh Build Release Date
11.1 11.1.63.15 January 19, 2020
12.0 12.0.63.13 January 19, 2020
12.1 12.1.55.x January 24, 2020
10.5 10.5.70.x January 24, 2020
13.0 13.0.47.x January 24, 2020
Citrix SD-WAN WANOP
Release Citrix ADC Release Release Date
10.2.6 11.1.51.615 January 24, 2020
11.0.3 11.1.51.615 January 24, 2020

On January 10, 2020 researchers at TrustedSec stated they have a “100% fully working remote code execution exploit.” Trusted Sec reports that this code can directly attack any ADC server in an unauthenticated manner. TrustedSec has uploaded their exploit code to their GitHub account because as they stated, “other researchers have published their code first.”

TrustedSec also published fairly extensive remote code execution forensics to their blog on January 10, 2020.

Contributors

Eric Ford, Squad Analyst II

Supporting Information

  • https://support.citrix.com/article/CTX267027
  • https://support.citrix.com/article/CTX267679
  • https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/
  • https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/?utm_content=112033384
  • https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
  • https://github.com/trustedsec/cve-2019-19781/blob/master/README.md
  • https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/?utm_content=112033384
  • https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

SPOT Report – Imperva Security Breach

Next post

SPOT Report – Microsoft Crypt32 Certificate Validation flaw

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy