January 20, 2020
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published an alert on a critical vulnerability, CVE-2019-19781, that affects Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. A remote, unauthenticated attacker could exploit the vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. Citrix has released some firmware updates already and expects to release more through January 24. CISA strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible once the appropriate firmware update becomes available. Read the advisory at CISA.
January 17, 2020
Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.
CISA recommends users and administrators:
- Review the Citrix article on updates on Citrix ADC, Citrix Gateway vulnerability, published January 17, 2020;
- See Citrix Security Bulletin CTX267027 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance;
- Apply the recommended mitigations in CTX267679 – Mitigation Steps for CVE-2019-19781; and
- Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest.
January 13, 2020
The U.S. Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027, beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781. CISA strongly advises affected organizations to review CERT/CC’s Vulnerability Note VU#619785 and Citrix Security Bulletin CTX267027 and apply the mitigations until Citrix releases new versions of the software. Read the advisory at CISA.