Citrix RCE Vulnerability in Multiple Products

Citrix has released information about a security flaw in its Application Delivery Controller (ADC) and Gateway products. Example programs have been published online that show attackers can take full control of these systems. NHS organisations may use these products to provide access to clinical applications and data. Citrix has advised affected customers to immediately follow its recommended steps to address the security flaw. Citrix expects to release updates for these products before the end of January.

Threat ID:: CC-3327
Category:: Exploit
Threat Severity:: High
Published:: 14 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Citrix/NetScaler ADC

Citrix/NetScaler Gateway

Citrix SD-WAN WANOP

Threat details

Citrix has released information about a vulnerability in its Application Delivery Controller (ADC), Gateway, and software-defined wide area network (SD-WAN) products that allows an unauthenticated threat actor to achieve remote code execution (RCE). Citrix has advised affected customers to immediately apply its provided mitigation.

The vulnerability is reported to occur from unsanitised handling of HTTP-based Virtual Private Network (VPN) requests. Multiple proof of concept exploits have now been released that target this vulnerability and security researchers have reported an increase in scanning activity attempting to identify vulnerable devices.

Citrix ADC and Gateway were formerly branded as NetScaler products.

For further information:

Remediation advice

Citrix has advised affected customers to immediately apply its provided mitigation and then update appliance firmware when fixed versions have been released.

Remediation steps

Type	Step
Action	Apply the mitigation provided by Citrix as soon as possible. https://support.citrix.com/article/CTX267679
Patch	Citrix has released updates to address this vulnerability in their ADC and Gateway versions 11.1 and 12.0. Affected organisations are encouraged to review the following Citrix advisories and apply the necessary remediation immediately: Citrix ADC (NetScaler ADC) download page Citrix Gateway (NetScaler Unified Gateway) download page Citrix has also confirmed that updates for the remaining affected ADC and Gateway versions will be published before the end of January 2020.
Aware	Both Citrix and the US Cybersecurity and Infrastructure Security Agency have released tools to identify vulnerable devices and verify if mitigation steps have been applied correctly. Please not that NHS Digital do not test or verify third-party tools and that organisations use them at their own risk: Citrix support article CTX269180 check-cve-2019-19781

Type

Step

Action

Apply the mitigation provided by Citrix as soon as possible.

https://support.citrix.com/article/CTX267679

Patch

Citrix has released updates to address this vulnerability in their ADC and Gateway versions 11.1 and 12.0. Affected organisations are encouraged to review the following Citrix advisories and apply the necessary remediation immediately:

Citrix has also confirmed that updates for the remaining affected ADC and Gateway versions will be published before the end of January 2020.

Aware

Both Citrix and the US Cybersecurity and Infrastructure Security Agency have released tools to identify vulnerable devices and verify if mitigation steps have been applied correctly. Please not that NHS Digital do not test or verify third-party tools and that organisations use them at their own risk:

Indicators of compromise

Network Activity

HTTP POST request to /vpns/portal/scripts/newbm.pl

NCSC link

https://www.ncsc.gov.uk/news/citrix-alert

Definitive source of threat updates

https://support.citrix.com/article/CTX267027

CVE Vulnerabilities

Status Master

CVE-2019-19781

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Last edited: 21 January 2020 4:24 pm