Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open for later exploitation.
As previously reported, vulnerabilities in Citrix Application Delivery Encoder and Citrix Gateway could allow remote attackers to carry out unauthenticated code execution.
In other words, baddies not on your network could get into it and start running all kinds of malicious software. And there are thousands upon thousands of vulnerable machines facing the public internet.
Now patches are available for some of the affected products – and sysadmins ought to be installing them pronto.
Some versions of Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and "certain deployments of two older versions of our Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3" are affected by the vulns, according to Citrix.
The vulns themselves were allocated the CVE number CVE-2019-19781. The patches are said to be good for virtual instances of Citrix Gateway 11.1 and 12 as well as Citrix ADC 11.1 and 12.0.
Citrix's Fermin Serna said in a statement: "We urge customers to immediately install these fixes. There are several important points to keep in mind in doing so. These fixes are for the indicated versions only, if you have multiple ADC versions in production, you must apply the correct version fix to each system."
Fresh patches for other Citrix ADC versions as well as SD-WAN WANOP are expected on 24 January, the company said in its statement.
As reported last week, miscreants have begun remotely patching affected devices – ironically, using the vuln itself to gain remote access to do so – but are leaving themselves a backdoor for continued illicit access later on. ®