Updated: Exploitation of critical Citrix vulnerability

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

2:40pm, 21 January 2020

TLP Rating: Clear

Updated: Exploitation of critical Citrix vulnerability

Update: this is an updated advisory from 09/01/2020. 

Since our initial publication it was discovered that certain versions of the SD-WAN WANOP appliances are vulnerable. Additionally, it was found that in Citrix ADC and Citrix Gateway Release 12.1 build 50.28, the mitigation provided by Citrix did not function as expected. 

Citrix ADC (Application Delivery Controller, formerly NetScaler ADC), Citrix Gateway (formerly NetScaler Gateway), and certain versions of SD-WAN WANOP appliances allow remote code execution through a directory traversal vulnerability. This vulnerability was published in December 2019. There is widespread reporting of active scanning and exploitation of the vulnerability.

What's happening

Systems affected

The affected products are:

  • Citrix ADC versions 10.5, 11.1, 12.0, 12.1, 13.0
  • Citrix Gateway versions 10.5, 11.1, 12.0, 12.1, 13.0
  • Citrix SD-WAN WANOP 10.2.6, 11.0.3

Citrix ADC is an application load balancer; Gateway provides single sign-on to users across multiple services and applications; SD-WAN WANOP is a traffic optimisation appliance for WAN links.

This vulnerability doesn’t affect other common Citrix products such as Virtual Apps or Remote Desktop which are used to allow users to access corporate assets remotely.

What this means

This has been known for a while, but has recently been actively exploited.

Attackers could use this vulnerability to read sensitive files off the appliance, or execute arbitrary code.

What to look for

How to tell if you're at risk

You are at risk if you are using:

  • Citrix ADC versions 10.5, 11.1, 12.0, 12.1, 13.0
  • Citrix Gateway versions 10.5, 11.1, 12.0, 12.1, 13.0
  • Citrix SD-WAN WANOP 10.2.6, 11.0.3

How to tell if you're affected

If you are running vulnerable versions of these Citrix products, check the logs for requests that contain paths ‘/vpns/’ or ‘/../’. Requests for these paths may indicate exploitation attempts.

What to do

Mitigation

Citrix have begun releasing patches for the affected appliances, please see the schedule on the release page to determine the release date for your version.

Release dates for Citrix patches External Link

CERT NZ recommends you:

  • apply the firmware patches as they become available, and
  • implement the mitigation advice in the meantime.

Citrix have provided mitigation advice. For Citrix ADC and Citrix Gateway Release 12.1 build 50.28, you will need to update to a newer build for the mitigation to work correctly.

Citrix’s mitigation steps for CVE-2019-19781 External Link

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384