Citrix releases permanent fixes for CVE-2019-19781 security flaw in Citrix ADC 11.1 and 12

Patches for other versions expected to be released on 24th January

Citrix has released the first patches for CVE-2019-19781, the security vulnerability affecting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

"Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here," Citrix's chief information security officer Fermin Serna said in an update.

It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances... to build 11.1.63.15 to install the fixes

"These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated."

"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes," Serna added.

He also clarified that the patches currently available were for the indicated versions only, adding that customers with multiple ADC versions in production must apply the correct version fix to each system.

https://twitter.com/citrix/status/1219003086133395460?ref\\_src=twsrc%5Etfw

It has also brought forward the dates for the release of patches for other ADC versions and for SD-WAN WANOP:

ADC version 12.1 (refresh build 12.1.55.x) - 24 January 2020
ADC version 13.0 (refresh build 13.0.47.x) - 24 January 2020
ADC version 10.5 (refresh build 10.5.70.x) - 24 January 2020
SD-WAN WANOP 10.2.6 and 11.0.3 -- 24 January 2020

CVE-2019-19781 is a security flaw affecting Citrix Gateway (formerly NetScaler Gateway), Citrix Application Delivery Controller (formerly NetScaler ADC) and some older versions of Citrix SD-WAN WANOP appliance.

If exploited, the vulnerability could enable an unauthenticated remote attacker to access private network resources and execute arbitrary code on vulnerable machines via directory traversal without authentication.

The bug was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who then reported it to Citrix in early December. The company later released a set of risk mitigation measures, including software updates for standalone systems and clusters, and promised to release permanent fixes in the coming days.

The payload not only provides a backdoor into breached appliances, but can also eliminate other malware present on the device

Earlier this month, researchers warned that they had spotted several cyber threat groups scanning the internet for Citrix servers vulnerable to the flaw.

Last week, the Dutch National Cyber Security Centre (NCSC) advised organisations to consider shutting off their Citrix ADC and Gateway servers until Citrix releases a fully working patch for the flaw.

The advisory followed Citrix's admission that its mitigation measures for CVE-2019-19781 did not provide security against exploits on some installations running older firmware.

In another report, security firm FireEye disclosed last week that it had observed a particular threat actor closing the Citrix security hole to keep other hackers out of Citrix servers, but maintain its own presence.

FireEye researchers said that the actor was launching attacks against Citrix servers from behind a Tor node, and was deploying a new payload named NotRobin.

The payload not only provides a backdoor into breached appliances, but can also eliminate other malware present on the device. In this way, it could prevent other actors from installing new payloads on vulnerable hosts.