CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

Citrix ADC - Application Delivery Controller

There is a critical vulnerability found in Citrix Application Delivery Controller / Netscaler, please read and patch ASAP!

A vulnerability  has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Renowned security researcher Kevin Beaumont is among those who have caught the reconnaissance in so-called honey pots – isolated and monitored parts of computer systems that claim to be legitimate in attracting malicious activity.

Can hit 80,000

The vulnerability in question, CVE-2019-19781, is thus a critical vulnerability that facilitates remote attacks. The defect lies in the Citrix Application Delivery Controller (Netscaler ADC) and Citrix Gateway (Netscaler Gateway), and was reported to Citrix by Positive Technologies.

The vulnerability has been assigned the following CVE number:

• CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution

The vulnerability affects all supported product versions and all supported platforms:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds

• Citrix ADC and NetScaler Gateway version 12.1 all supported builds

• Citrix ADC and NetScaler Gateway version 12.0 all supported builds

• Citrix ADC and NetScaler Gateway version 11.1 all supported builds

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds


What Customers Should Do

Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts  to be notified when the new firmware is available.

The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until a permanent fix is available: CTX267679 – Mitigation steps for CVE-2019-19781

Learn more here

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Symptoms or Error

On December 17 2019 Citrix released security bulletin CTX267027: A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that could lead to arbitrary code execution.

Please take a note of the Migration support article

According to the update, efforts are being made to make permanent fixes that seal the vulnerability, and that these are scheduled to be ready in the period 27 to 31 January.

Please also read this blog post from Citrix