Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

Unauthorised users able to perform 'arbitrary code execution'

24 Reg comments Got Tips?

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.

Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any application on any device from any location" is the marketing pitch.

On 17 December, Citrix published an advisory stating that a vulnerability in these services "could allow an unauthenticated attacker to perform arbitrary code execution."

According to Positive Technologies, the security company which discovered the flaw, no account details are required. Positive says the "first vulnerable version of the software was released in 2014", and estimates that "at least 80,000 companies in 158 countries are potentially at risk."

Since the whole idea of this technology is to enable remote access to internal applications, arbitrary code execution could give the attacker access to the internal network, making it a particularly critical flaw.

Citrix has published mitigation steps which block certain SSL VPN requests, suggesting that this area is where the flaw lies. This is a mitigation rather than a complete fix. An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol.

The affected versions of Citrix ADC and Unified Gateway include 10.5, 11.1, 12.0, 12.1 and 13.0.

The problem has been assigned the ID CVE-2019-19781 and details will be available at this link when published.

Citrix said it is "notifying customers and channel partners about this potential security issue."

Administrators are advised to apply the mitigation immediately. A full software fix will be made available in due course. ®


Keep Reading

After three leisurely years, Citrix releases second long-term-service hypervisor

Version 8.2 supports bigger hosts, improves network security and bins old Windows versions as guests

FYI: Someone's scanning gateways, looking for those security holes Citrix told you not to worry too much about

VIdeo Hackers hit honeypots hours after CISO downplays risk, proof-of-concept exploit code emerges

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

Eleven flaws cleaned up including one that may be exploited to sling malware downloads

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned

Handy FireEye tool roots out indicators of compromise

Good: IT admins scrambled to patch 80 per cent of public-facing Citrix boxes to close nightmare hijack hole

Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked

Citrix goes up the down escalator and doesn't just issue guidance – it's increased 2020 targets

We were made for these times, says remote app-slinger, but we’re staying off planes

Google and Parallels bring Windows apps to Chromebooks, in parallel with VMware and Citrix

And then derides them as legacy apps you’ll put up with while you ascend to cloud

Biting the hand that feeds IT © 1998–2020