Image by Bethany Drouin from Pixabay

Proof of Concept Exploits have been Released on GitHub for Citrix ADC and Gateway RCE Vulnerability.

As such it is now imperative to implement precautions to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by cyber criminals and other attackers.

So why the urgency? Well, earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [1, 2] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets.

Just before Christmas and New Year, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.

So, what should users do to protect themselves

Citrix have strongly urged that affected customers to immediately apply the provided mitigation. CTX267679 - Mitigation steps for CVE-2019-19781 Customers should then upgrade all their vulnerable appliances to a fixed version of the appliance firmware when released.

Fix Timelines

Citrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020. Please refer to the table below for the expected release dates.

Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020