Citrix has finally started releasing security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting late December 2019.
The vulnerability, tracked as CVE-2019-19781, is a path traversal vulnerability issue that could allow unauthenticated, remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as two older versions of Citrix SD-WAN WANOP.
Rated critical with a CVSS v3.1 base score of 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who reported it to Citrix in early December.
Since last week, the vulnerability has been (and continues to be) actively exploited, thanks to the public release of multiple proof-of-concept exploit codes.
There are seemingly over 15,000 publicly accessible
vulnerable Citrix ADC and Gateway servers that attackers can exploit (overnight!),
targeting potential enterprise networks.
Last week Citrix released a timeline, promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020.
Citrix has stated the following in its advisory: "it is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 220.127.116.11 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 18.104.22.168 to install the security vulnerability fixes."
We recommend that these patches are applied as soon as
possible to prevent any potential loss of service or availability.