Citrix finally patches a vulnerability that is being actively exploited

Citrix releases security patches for a critical ADC and Gateway software flaw that attackers already exploited in the wild

The flaw that affects tens of thousands of known VPN servers finally gets a permanent patch. The vulnerability in Citrix systems was detected earlier this month, but, at the time, they didn't release any permanent fixes.^[1] However, the company issued an update on Sunday and assured the customers that they are going to receive all the updates in regards to the vulnerability.^[2]

The particular CVE-2019-19781 vulnerability could have been used in unauthenticated, remote attacks set to launch arbitrary code on various Citrix Application Delivery Controller and Gateway products, including the older versions of Citrix SD-WAN WANOP.^[3] According to some researchers,^[4] there are more than 15,000 publicly accessible vulnerable servers that could be exploited by attackers to target potential networks of enterprises.

Unfortunately, Citrix has already been seen in a questionable situations regarding the security issues. One of these breaches was confirmed way after the hacker accessed the company's systems and managed to continue the hacking activity for six months.^[5] As a result, these late patches have raised more questions about the company and security of their products in general.

Patch timeline reveals more software updates coming in the future

According to the official statements from the Citrix company, all supported versions of the ADC and Gateway software will receive patches and needed security updates before the end of January 2020.^[6] This first patch pack released permanent fixes for 11.1 and 12.0 versions, which also applies to ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance.

The company officials suggest upgrading and installing all security fixes and have also noted that, when you have a few versions of the software, applying the recommended and correct mitigations and patching systems is important:

We strongly encourage customers to apply the permanent fixes as soon as possible. If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.

Up to 80,000 organizations in 159 countries were put at risk

Unfortunately, the vulnerability was disclosed back on December 17th and only then reported as a flaw that can lead to attacks not requiring authentication. When the issue was revealed, it was believed that at least 80,000 organizations were at risk. This time, Citrix recommended only some mitigation steps, but not a proper fix for the vulnerability.

Cyber attackers were quick to begin searching for vulnerable servers, and the spike in exploiting codes was noticed in January. The reports on NOTROBIN payload surfaced the news outlets. Campaigns included the infiltration of malware that targeted devices with a CVE-2019-19781 flaw.

Permanent fixes for Citrix products 11.1 and 12.0 can be downloaded here and here.

However, if you are the one that cannot fix the issue yet, you may need some additional help. As the company suggests, you may look into the solution of turning Citrix servers off or blocking directory traversal attempts using a web application firewall. Nevertheless, everyone that is doing anything to a Citrix environment needs to proceed with caution because the risk to the business is still there.