Security Experts:

Citrix Vulnerability Leaves 80,000 Companies at Risk

A critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) could allow criminal access to the networks of 80,000 companies in 158 countries.

The countries most at risk are the U.S. (with 38% of the vulnerable networks), the UK, Germany, the Netherlands, and Australia. 

The vulnerability (CVE-2019-19781), described as 'critical' although not yet assigned a CVSS severity rating, was discovered by Positive Technologies. "This vulnerability," says Positive, "affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5."

If the vulnerability is exploited, the attacker does not require access to any accounts, so it can be undertaken by any external actor. It allows unauthorized access to published applications and other internal network resources from the Citrix servers.

"Citrix applications are widely used in corporate networks," commented Dmitry Serebryannikov, director of the security audit department at Positive Technologies. "This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat." 

In its own security bulletin on December 7, 2019, Citrix warned that if exploited, the vulnerability "could allow an unauthenticated attacker to perform arbitrary code execution." The firm has published recommended mitigation steps for the vulnerability, involving configuration changes pending a fix. These steps start with a reboot as "a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability prior to policy application, are cleared."

Positive notes that Citrix issued the mitigation steps "within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months."

It warns that the vulnerability has existed since 2014, and that it is therefore as important to detect any potential existing exploitation and infrastructure compromise as it is to defend against current or future attacks.

Related: Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants 

Related: High-Risk Flaws Found in Process Control Systems From B&R Automation 

Related: Many Vulnerabilities Discovered in Moxa Industrial Switches 

Related: Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.