Citrix releases new patches to plug critical server vulnerability

Additional versions of Citrix ADC and Citrix Gateway can now be protected against the severe security issue.

​Citrix launches APAC cloud management plane A new Citrix Cloud management plane will service the Asia-Pacific South, hosted on Microsoft Azure in Sydney, Australia. Read more: https://zd.net/2JcuGda

Citrix has released a new round of security updates to resolve a critical vulnerability exposing thousands of servers to code execution attacks. 

The vulnerability at the heart of the matter is CVE-2019-19781, a directory traversal security flaw that can be exploited for the purposes of arbitrary code execution. The vulnerability has been issued a CVSS score of 9.8 -- in other words, it cannot be much more serious. 

Different versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway, as well as Citrix SD-WAN WANOP, are impacted.

In the latest batch of fixes to plug server security holes, Citrix has now pushed out patches for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. IT admins should make sure their builds are upgraded to 12.1.55.18 and 13.0.47.24. 

See also: Citrix: These are new patches for your vulnerable servers

Two sets of security updates for other ADC and Gateway builds, Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and Citrix SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO, were released earlier this week. (1, 2)

Fixes for ADC and Gateway can now be downloaded from the Citrix support website and should be applied as soon as possible. 

At the time of public disclosure on December 17, no patches were available; instead, the company published a mitigation guide as a temporary solution. Researchers estimated that up to 80,000 organizations in 158 countries could be susceptible to cyberattacks due to the bug. 

CNET: Fake SWAT calls hit tech execs, report says

A month passed and there was no fix, but Citrix has now begun rolling updates out rapidly, prompted to further urgency due to two exploit codes for CVE-2019-19781 becoming public in early January, as well as an uptick in scans for vulnerable servers taking place. 

It has also been reported that a hacking entity has been scanning and patching Citrix servers -- but it is more likely that a threat actor is hoarding them for nefarious purposes than a white hat vigilante taking matters into their own hands. 

Due to the severity of the problem, patches are available regardless of maintenance contracts with Citrix. The company "strongly urges" the immediate installation of the security updates. 

The table below shows the server patches and updated builds available. 

screenshot-2020-01-24-at-11-22-17.png

A free scanning tool, developed by Citrix and FireEye Mandiant, is also available for IT admins to check and see whether or not their servers are vulnerable to exploit. 

TechRepublic: Why many small and midsized businesses remain vulnerable to cyberattack

"Thank you to our customers and partners for your patience as we continue to roll out fixes that fully address this vulnerability," Citrix says. "Customer security remains a top priority for Citrix, and we will continue making every effort to ensure all customers are supported."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0