Customer Notification for Citrix ADC (NetScaler) CVE

Read the below announcement for a recent issue around Citrix ADC

What is the Issue?

On December 16, 2019, Citrix created a press release to inform customers that a Remote Code Execution (RCE) vulnerability has been identified in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway formerly known as (NetScaler Gateway) that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution and gain control of the appliance remotely. As of January 11, 2020, Proof of Concepts are publicly available and malicious actors are actively exploiting this vulnerability in the wild.

The vulnerability has been assigned the following CVE number:

• CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution and more info can be found from NIST here.

Who is Affected?

The vulnerability affects all supported Citrix ADC / Gateway (NetScaler ADC / Gateway) product versions and all supported platforms (MPX/SDX/VPX):

• Citrix ADC and Citrix Gateway version 13.0 all supported builds

• Citrix ADC and NetScaler Gateway version 12.1 all supported builds

• Citrix ADC and NetScaler Gateway version 12.0 all supported builds

• Citrix ADC and NetScaler Gateway version 11.1 all supported builds

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

This vulnerability does not affect Citrix Cloud Gateway service customers (resolved on December 17, 2019).

What Should You Do?

1. Customers should immediately apply the mitigation recommended by Citrix:

  • Create a responder action and policy on affected appliances using the commands provided by Citrix. (Note: If you are licensed only for Citrix Gateway / NetScaler Gateway, the Responder feature is disabled and you will need to contact Citrix Support to obtain a temporary Citrix ADC / NetScaler ADC Standard license for this mitigation).
  • Ensure that the changes apply to the management interfaces as well.
  • Reboot the appliance to ensure that any open sessions obtained via the vulnerability prior to policy application are cleared.

2. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware as soon as possible when released by Citrix. Subscribe to bulletin alerts here to be notified when the new firmware is available.

Fix Timelines

Citrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020. Please refer to the table below for the expected release dates.

How AHEAD Can Help

Please contact your AHEAD Client Director to discuss how our certified experts can assist you with mitigating this vulnerability and perform a Citrix ADC Health Check to ensure you are protected from this and future threats.

During this Service, AHEAD performs the following:

  • Discover and document the current state of the environment.
  • Collect technical support files and upload to Citrix Insight Services (CIS) for automated analysis.
  • Analyze results of CIS report and data collected during Discovery.
  • Prepare Health Check Findings deliverable and review with Client