Citrix releases final patches for critical CVE-2019-19781 security flaw
Patch ASAP, urges Citrix - then scan your network for any indicator of compromise

Citrix has finally released the last permanent fixes for the CVE-2019-19781 security flaw for version 10.5 of the Citrix Application Delivery Controller (ADC). The company now claims to have released permanent fixes for all supported versions of ADC, Gateway and SD-WAN WANOP.
Citrix has urged organisations to "patch immediately" - presumably, over the weekend. The flaw enables remote, unauthenticated attackers to perform arbitrary code execution, with exploits already having been detected in the wild.
Citrix has now released the full range of fixes for CVE-2019-19781. Patch immediately and read @CISAgov's updated Alert at https://t.co/VVy6NlOFlp for more information. #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) January 24, 2020
Indeed, German automotive parts maker Gedia was taken down with ransomware over the past week, with security researchers warning that the attackers cracked the company's network via vulnerable Citrix devices.
And there is evidence of sophisticated threat actors switching their attention from Pulse Secure VPNs, which was purportedly the entry point for the Travelex ransomware attackers, to Citrix appliances exploiting CVE-2019-19781.
The vulnerability affects the following Citrix appliances, according to the US-CERT advisory:
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 - all supported builds;
- Citrix ADC and NetScaler Gateway version 11.1 - all supported builds before 11.1.63.15;
- Citrix ADC and NetScaler Gateway version 12.0 - all supported builds before 12.0.63.13;
- Citrix ADC and NetScaler Gateway version 12.1 - all supported builds before 12.1.55.18;
- Citrix ADC and Citrix Gateway version 13.0 - all supported builds before 13.0.47.24;
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO - all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).
I examined the files #REvil posted from https://t.co/3wfGoNUqp4 after they refused to pay the #ransomware.
— Under the Breach (@underthebreach) January 24, 2020
the interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit
my bet is that all recent targets were accessed via this exploit.
(1/2) pic.twitter.com/tWeUR7I1zj
But the weekend's work won't be completed after the patches have been installed and systems restarted.
Users have been advised to scan their networks for evidence of compromise after patching to ensure that their networks have not been cracked, with attackers leaving behind the tools to enable them to exploit their systems later. Citrix and FireEye have released a free Indicator of Compromise tool to help users.
Further reading
More on Security
Here's how to stay safe online - in the pandemic and beyond
The coronavirus pandemic threw working lives into disarray, but we cannot afford to sacrifice security for convenience
Thank Zuck it's Friday #3 - Data adequacy, Darktrace and 'spy pixels'
Join the Computing team for episode three of the podcast that gives you the lowdown on the hottest tech news of the week
North Korea targets Pfizer in vaccine hack
South Korean intelligence says the attack was probably meant to raise money for its poorer northern neighbour
The FT's Mark Barnes on the art of selling Cloud Only to the business
Barnes used Nudge Theory and EAST to rid the Financial Times of its remaining infrastructure burden
Computing Podcast Episode 2 - AI in Security, Favicon hacks and Multi Cloud
The Computing team expertly dissects the week's news, including the latest research on the top vendors in AI-enhanced security, how Favicons can be used to track you online, and whether Multi-Cloud is set to take over the world