Published on: 13 January 2020
A vulnerability has been found in Citrix ADC and Citrix Gateway. An unauthenticated remote attacker may send a specially crafted command to an affected system to exploit the vulnerability.
Users are suggested to take immediate action to fix the severe vulnerability (CVE-2019-19781) in affected Citrix Application Delivery Controller (ADC) and Citrix Gateway, which are formerly known as NetScaler ADC and NetScaler Gateway. Since proof-of-concept and fully workable exploit code targeting the vulnerability have been publicly available, attackers and security researchers are now actively scanning for vulnerable systems. Attacks against any of the vulnerable systems are thus highly likely.
Successful exploitation could lead to arbitrary code execution on an affected system.
Citrix has not yet released relevant patches to address the vulnerability but workarounds are available to temporarily mitigate the issue. Even though the workarounds are a temporary solution, users of affected systems should immediately apply them to minimise the exposure to possible cyber attacks. The details of the workarounds could be found at the following URL:
https://support.citrix.com/article/CTX267679
Citrix has announced the expected release date of the patches for all supported versions of Citrix ADC and Citrix Gateway. All patches are expected to be available before the end of January 2020.
Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://support.citrix.com/article/CTX267027
https://support.citrix.com/article/CTX267679
https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781