A critical Citrix vulnerability has shaken up the cybersecurity community over the last month. The bug that threatened numerous enterprises quickly came under exploit and created panic. Though the mitigations were there, the risk group couldn’t really benefit from them. Finally, Citrix are now working to release fixes for this critical security vulnerability in Citrix ADC and Citrix Gateway.
Critical Citrix Vulnerability Overview
In December 2019, a researcher found a serious security flaw affecting Citrix products. Exploiting the bug allowed an adversary to execute arbitrary code on target systems.
In brief, it was a path traversal bug that could allow an attacker to access the target Citrix device without credentials. All it took for an attack was sending a malicious request to the target machine that required a few lines of code.
The unpatched vulnerability CVE-2019-19781 quickly caught the attention of cybercriminals as well. Thus, a state of panic appeared in the online community as the mitigations couldn’t help in preventing the active exploitations.
Intensifying the matter further, a PoC for the exploit appeared on GitHub a few days ago. Thus, it became very easy for anyone to reproduce the exploit seamlessly.
Citrix Releasing Patches Gradually
After a month from the public disclosure of the bug, Citrix has finally succeeded in addressing the flaw. Though, they are still struggling to entirely eliminate the bug from all vulnerable products.
Specifically, Citrix has recently announced the release of permanent patches for Citrix ADC versions 11.1 and 12.0. These are also available for download from the respective links for version 11.1 and 12.0.
To install these fixes, users need to upgrade their devices from Citrix ADC and Citrix Gateway 11.1 instances to 220.127.116.11. Likewise, for Citrix ADC and Citrix Gateway 12.0 users, upgrading to build 18.104.22.168 is necessary.
Also, Citrix elaborated for the patches,
These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
Whereas, fixes for ADC version 12.1, 10.5, and 13.0, as well as for SD-WAN WANOP 10.2.6 and 11.0.3 shall arrive on January 24, 2020.
Besides patches, Citrix has also released a verification tool for the system admins to verify the appropriate installation of patches.
Let us know your thoughts in the comments.