WIREDGOV

An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products.

Details

The NCSC is investigating exploitations of a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that could allow an unauthenticated attacker to perform arbitrary code execution on a network. The vulnerability is CVE-2019-19781 and its exploitation has been widely reported online in early January.

The following Citrix products are affected:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Mitigation

Citrix initially disclosed this vulnerability in an Advisory on 17 December 2019. There is currently no patch, although Citrix have advised customers that updates for affected products will be available from 20 January 2020 onwards, depending on the product.

Before a patch is released, Citrix have provided mitigation advice which the NCSC strongly advises organisations to implement. Full details of how to mitigate are on the Citrix website.

Organisations are advised to check the Citrix website to keep up to date with patch releases.

The NCSC also recommends that organisations carry out searches across their networks to identify whether exploitation has taken place, if they did not implement these mitigations before Citrix disclosed the vulnerability on 17 December 2019.

Click here for the full press release