A crucial flaw in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) could enable the networks of 80,000 organizations in 158 countries to access criminal activities.
The most at risk nations are the United States (with 38% of exposed networks), the United Kingdom, Germany, the Netherlands, and Australia.
Positive Technologies has identified the weakness (CVE-2019-19781), classified as’ serious’ although it has not yet been given a CVSS severity ranking.
“This vulnerability,” says Positive, “affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.”
If the bug is abused, no connection to accounts is needed by the perpetrator, so any external entity may pursue it. It allows unauthorized access from Citrix servers to reported software and other internal network services.
“Citrix applications are widely used in corporate networks,” commented Dmitry Serebryannikov, director of the security audit department at Positive Technologies. “This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”
On December 7, 2019, Citrix warned in its own security bulletin that if exploited, the vulnerability might allow an unauthenticated attacker to execute arbitrary code.
” The firm has published recommended mitigation steps for the vulnerability, involving configuration changes pending a fix. These steps start with a reboot as “a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability prior to policy application, are cleared.”
Citrix issued the mitigation steps “within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months.”
It states that the weakness has persisted since 2014 and is therefore as critical as protecting against current or future threats to identify any possible ongoing abuse and network breach.
