; ;

Security advisories | Jan 20, 2020

Citrix Releases Critical Security Patches

The Threat:

On January 19th, 2020, Citrix released patches for two vulnerable versions of Citrix ADC and Citrix Gateway products [1]. These patches address the critical code execution vulnerability reported in previous advisories [2]. This vulnerability is being actively exploited in the wild for multiple malicious purposes; it is highly recommended to apply the available patches as soon as possible.

What we’re doing about it:

  • Known scanner and payload IP addresses associated with attacks exploiting this vulnerability have been added to the eSentire Global Blacklist
  • MVS (formerly esRECON) has plugins to identify the vulnerability CVE-2019-19781
  • esLOG+ rules have been deployed to detect this vulnerability
    • This applies only to clients that are providing HTTPREQUEST Netscaler Logs. Please reach out to [email protected] if you have questions regarding netscaler logging.
  • esLOG+ customers have been reviewed for signs of Citrix exploitation

What you should do about it:

  • Apply available security patches
    • Citrix ADC and Citrix Gateway version 11.1 [3]
    • Citrix ADC and Citrix Gateway version 12.0 [4]
  • If running another version of Citrix ADC and Citrix Gateway or Citrix SD-WAN WANOP ensure the available mitigation steps are in place until security patches become available [5]
    • Citrix users can validate mitigation actions using the CVE Verification Tool released by Citrix [6]

Additional information:

CVE-2019-19781 allows simple directory traversal by a remote attacker in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. Additionally, the vulnerability affects the Citrix SD-WAN WANOP appliance, versions 10.2.6 and 11.0.3.

It should be noted that the mitigation actions supplied by Citrix do not work on Citrix ADC and Citrix Gateway Release "12.1 build 50.28". If running this build, users will need update to version 12.1 build 50.28/50.31 or later.

Expected Patch Release [1]

Citrix ADC Version

Expected Patch Release Date

13

Jan 24, 2020

12.1

Jan 24, 2020

12

Jan 19, 2020 (Released)

11.1

Jan 19, 2020 (Released)

10.5

Jan 24, 2020

Citrix SD-WAN WANOP

Expected Patch Release Date

10.2.6

Jan 24, 2020

11.0.3

Jan 24, 2020

References:

[1] https://support.citrix.com/article/CTX267027

[2] https://www.esentire.com/security-advisories/critical-update-to-citrix-vulnerability-exploited/

[3] https://www.citrix.com/downloads/citrix-adc/

[4] https://www.citrix.com/downloads/citrix-gateway/

[5] https://support.citrix.com/article/CTX267679

[6] https://support.citrix.com/article/CTX269180