Citrix: These are new patches for your vulnerable servers

Citrix has released a fresh set of patches for ADC and NetScaler bug, with more patches due out tomorrow.
Written by Liam Tung, Contributing Writer

Enterprise tech company Citrix has rolled out a new round of fixes for a vulnerability that's already being exploited to install malware on Citrix servers and which has even sparked a turf war among cybercriminals over compromised machines. 

The new fixes address CVE-2019-19781, which has been in the spotlight over the past week after proof-of-concept (PoC) exploit code was released, and hackers started using variants of it to install crypto-miners on enterprise kit. 

The bug affects Citrix Application Delivery Controller (ADC) – formerly known as NetScaler ADC – and Citrix Gateway, formerly known as NetScaler Gateway, as well as Citrix SD-WAN WANOP. 

SEE: 10 tips for new cybersecurity pros (free PDF)

The first set of updates were released earlier this week for some versions of ADC and NetScaler, and Citrix CISO Fermin Serna today announced the release of fixes for SD-WAN WANOP, which are available on Citrix's support site.  

Serna notes that customers must upgrade all Citrix SD-WAN WANOP versions to build 10.2.6b or 11.0.3b. The fixes are applicable to SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. The SD-WAN PE and SD-WAN SE platforms are not affected by this bug. 

While customers can use Citrix's mitigations to minimize risk, Serna said the company "strongly encourages" admins to apply the permanent fixes as soon as possible.

The bug has become a top target for a few reasons. Citrix disclosed the flaw before Christmas but advised customers it wouldn't have patches until late January. In the meantime, the PoC exploit code was released for what is considered a simple vulnerability to exploit. 

Earlier this week ZDNet reported that security firm FireEye had identified a hacker who was removing malware from already infected Citrix servers as part of a ploy to gain exclusive control over compromised machines and then install a backdoor. 

FireEye has detected repeated attacks on organizations in the travel, legal, financial, and education sectors.

The Dutch national cybersecurity agency (NCSC) has even advised companies and government agencies that run Citrix ADC or NetScaler Gateway servers to turn off systems until an official patch is ready due to "uncertainty about the effectiveness of the mitigation measures". 

Citrix insists the mitigations do work but has also advised customers to apply its patches immediately after they become available. 

SEE: A hacker is patching Citrix servers to maintain exclusive access

FireEye today released a scanner that it developed with Citrix for customers to search their networks for indicators of compromise. The free tool is available from the Citrix and FireEye GitHub repositories. 

Citrix's next set of patches are scheduled for release tomorrow to address the flaw in Citrix ADC and Citrix Gateway versos 12.1, 10.5, and 13.0. 


The FireEye Citrix scanner uses web server access logs to identify scanning activity targeting a specific appliance.

Image: FireEye/Citrix
Editorial standards