Citrix Accelerates Patch Rollout For Critical RCE Flaw


Citrix has issued the first of several updates fixing a critical vulnerability in various versions of its Citrix Application Delivery Controller (ADC) and Citrix Gateway products.

Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.

Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).

Also, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build and 12 (firmware update Refresh Build on Jan. 19 — a day earlier than it had expected to.

Threatpost Webinar Promo Mobile App Security

The versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release

When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix announced it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until “late January.”

However, in the following weeks after disclosure, various researchers published public proof-of-concept (PoC) exploit code for the flaw. At the same time, researchers warned of active exploitations, and mass scanning activity, for the vulnerable Citrix products.

In one unique case of exploitation, researchers at FireEye said last week that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as “NOTROBIN.”

Researchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.

“Upon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” researchers said.

With patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.

“CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,” according to a Monday CISA alert on the patches. “The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC and Citrix Gateway. Until the appropriate update is accessible, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.”

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

What the New OWASP Top 10 Changes Mean to You?

The OWASP top 10 list of critical security risks will have a big impact on how businesses address application security moving forward. The changes to the list will require businesses to reevaluate their application security posture holistically. Learn more about the most significant changes that have emerged and how businesses can address them.

API Shadow

Bring Your APIs Out of the Shadows to Protect Your Business

APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.