Citrix has started rolling out security patches for the recently revealed Citrix Application Delivery Controller (ADC) and Citrix Gateway vulnerability.
Disclosed in December 2019 and tracked as CVE-2019-19781, the vulnerability could be exploited to achieve code execution. The issue impacts versions 13.0, 12.1, 12.0, 11.1, and 10.5 of both Citrix ADC and Gateway (previously known as NetScaler ADC and NetScaler Gateway).
The vulnerability is already being exploited in live attacks, which does not come as a surprise, since PoC exploits targeting CVE-2019-19781 were published last week.
On Sunday, Citrix announced that it has released “permanent fixes for ADC versions 11.1 and 12.0.”
“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Citrix Chief Information Security Officer Fermin J. Serna reveals.
He also explains that customers need to upgrade ADC and Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the patches, while ADC and Gateway 12.0 instances (MPX or VPX) should be updated to build 12.0.63.13.
Additionally, Serna notes that Citrix is now targeting January 24 for the release of security fixes for ADC and Gateway versions 12.1, 13, and 10.5, as well as for Citrix SD-WAN WANOP versions 10.2.6 and 11.0.3.
“We urge customers to immediately install these fixes. There are several important points to keep in mind in doing so. These fixes are for the indicated versions only, if you have multiple ADC versions in production, you must apply the correct version fix to each system,” Serna continues.
In December, Citrix published information on the steps organizations can take to mitigate the risk of being exposed to CVE-2019-19781. Until patches are available for them, customers should apply those mitigations.
The mitigations, Serna says, are “effective across all known scenarios,” but customers are advised to apply the permanent fixes for CVE-2019-19781 as soon as possible.
Related: Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability
Related: Exploits Published for Citrix ADC Vulnerability, Patches Coming Soon