A critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) could allow criminal access to the networks of 80,000 companies in 158 countries.
The countries most at risk are the U.S. (with 38% of the vulnerable networks), the UK, Germany, the Netherlands, and Australia.
The vulnerability (CVE-2019-19781), described as ‘critical’ although not yet assigned a CVSS severity rating, was discovered by Positive Technologies. “This vulnerability,” says Positive, “affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.”
If the vulnerability is exploited, the attacker does not require access to any accounts, so it can be undertaken by any external actor. It allows unauthorized access to published applications and other internal network resources from the Citrix servers.
“Citrix applications are widely used in corporate networks,” commented Dmitry Serebryannikov, director of the security audit department at Positive Technologies. “This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”
In its own security bulletin on December 7, 2019, Citrix warned that if exploited, the vulnerability “could allow an unauthenticated attacker to perform arbitrary code execution.” The firm has published recommended mitigation steps for the vulnerability, involving configuration changes pending a fix. These steps start with a reboot as “a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability prior to policy application, are cleared.”
Positive notes that Citrix issued the mitigation steps “within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months.”
It warns that the vulnerability has existed since 2014, and that it is therefore as important to detect any potential existing exploitation and infrastructure compromise as it is to defend against current or future attacks.