Citrix to release 'thoroughly tested' fixes for CVE-2019-19781 security flaw by the end of January
More than 2,000 servers in teh UK vulnerable to Citrix remote access security flaw
Citrix says it is currently working on permanent fixes for the CVE-2019-19781 security flaw and expects to release them before the end of January.
Unpatched, the security flaw enables hackers to launch remote-code execution attacks on Citrix servers, without requiring credentials.
"As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested," the company said in an online post on its website.
As per the details provided by Citrix, permanent fixes for all supported versions could be released on dates as given below:
- Citrix ADC and Citrix Gateway 13.0 -- 27 th January 2020
- Citrix ADC and NetScaler Gateway 12.1 -- 27 th January 2020
- Citrix ADC and NetScaler Gateway 12.0 -- 20 th January 2020
- Citrix ADC and NetScaler Gateway 11.1 -- 20 th January 2020
- Citrix NetScaler ADC and NetScaler Gateway 10.5 -- 31 st January 2020
CVE-2019-19781 is a path traversal bug that affects Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers. It can be exploited by a remote attacker over the internet to gain unauthorised access to vulnerable systems and execute arbitrary code on them.
Hackers don't need to provide any authentication credentials in order to launch attacks. All they need to do is to send a boobytrapped request to the vulnerable device, as well as the exploit code they want to run on the device.
We are aware of multiple actors who have now weaponised this vulnerability
The bug was first discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who warned that more than 80,000 organisations could be at risk due to this vulnerability. More than 2,000 Citrix servers in teh UK - and almost 10,000 in the US - are vulnerable to the flaw, according to security specialists Bad Packets.
Following the publishing of CVE-2019-19781 details in public domain last month, Citrix released a set of risk mitigation measures (in the form of configuration adjustments) for standalone systems and clusters, and advised affected customers to apply those mitigation measures without any delay.
Last week, security researchers warned that they had observed cyber criminals actively scanning the internet for vulnerable Citrix servers.
On Friday, two proof-of-concept (PoC) exploit codes for CVE-2019-19781 were published on GitHub by security researchers named "Project Zero India" and "TrustedSec". These PoCs will lower the bar to attack even further for organisations running vulnerable sytstems.
"Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk," Rob Joyce, a senior official at the National Security Agency, said in a tweet.
In an online post, cyber security firm MDSec also discussed its findings on Citrix vulnerability and how attackers might exploit the vulnerability.
"Due to the number of devices impacted, MDSec have decided not to provide a ready-made exploit for this vulnerability," said Rio Sherri, a security consultant at MDSec.
"However, we are aware of multiple actors who have now weaponised this vulnerability and felt it important to share this research so others can take appropriate action," Sherri added.