Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack
Citrix has finally started rolling out security patches for a critical vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products ,that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix.
Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.
Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).
Also, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 - a day earlier than it had expected to.
The versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).
When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix announced it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until “late January.”
The vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers-thanks to the public release of multiple proofs-of-concept exploit code. At the same time, researchers warned of active exploitations, and mass scanning activity, for the vulnerable Citrix products.
According to cyber security experts, as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks.
#Citrix released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw.
Citrix Patch Timeline: Stay Tuned for More Software Updates!
Last week Citrix announced a timeline, promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart.
As part of its first batch of updates, Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to "ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX)."
"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes," Citrix said in its advisory.
"We urge customers to install these fixes immediately," the company said. "If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available."
The company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. Besides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks.
UPDATE - Citrix on Thursday also released second batch of permanent security patches for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.