Vulnerability in Citrix Application Delivery Controller Discovered

Vulnerability in Citrix Application Delivery Controller Discovered

A cybersecurity alert was issued yesterday, Wednesday, Jan. 8, 2020, regarding a vulnerability in Citrix Application Delivery Controller. The vulnerability could allow an attacker to execute arbitrary code, which could potentially lead to a breach.

What It Is:
A vulnerability has been discovered in the Citrix Application Delivery Controller Web Server which could allow for remote code execution. Citrix Application Delivery Controller is a load balancer used for web, application, and database servers.

Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of a privileged process. Depending on the privileges associated with the web service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read the original Citrix Support Knowledge Center articles below for more information:

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway
Mitigation Steps for CVE-2019-19781

Threat Intelligence:
There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Risk:
Government:
• Large and medium government entities: High
• Small government entities: High
Businesses:
• Large and medium business entities: High
• Small business entities: High
Home users: Medium

What It Means:
If you and/or your business utilize the Citrix products mentioned above, you will need to apply the workaround provided by the Citrix advisory since there is currently no patch for this vulnerability. Once a patch is available from Citrix, apply it to vulnerable systems following proper testing.

Technical Summary:
A vulnerability has been discovered in the Citrix Application Delivery Controller Web Server which could allow for remote code execution. This vulnerability could be exploited by taking advantage of a directory traversal vulnerability and a vulnerability existing in the /vpns/ directory of the web server.

What To Do:
We recommend the following actions be taken:

• Apply the workaround provided by the Citrix advisory as there is currently no patch for this vulnerability.
• Apply appropriate patches provided by Citrix to vulnerable systems once available after appropriate testing.
• Remind users not to download, accept, or execute files from untrusted or unknown sources.
• Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from untrusted sources.

Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with issues arising from vulnerabilities in Citrix Application Delivery Controller including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.