Positive Technologies warned that the critical vulnerability CVE-2019-19781 poses a threat to the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) and threatens 80,000 companies in 158 countries. Most vulnerable organizations are in the United States (over 38%), and the problem threatens companies in Germany, the UK, the Netherlands, Australia and so on. Russia is ranked 26th in the total number of potentially vulnerable companies in various business sectors.
The vulnerability has been reported since 2014, and all supported versions of the product and all supported platforms are vulnerable to the problem, including Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and NetScaler Gateway version 12.1, Citrix ADC and NetScaler Gateway version 12.0, Citrix ADC and NetScaler Gateway version 11.1, as well as Citrix NetScaler ADC and NetScaler Gateway version 10.5.
In almost all cases, Citrix applications are available on the perimeter of the company’s network, which means they are prone to attacks in the first place. Thus, the vulnerability allows an external unauthorized attacker not only to gain access to published applications, but also to carry out attacks from the Citrix server on other resources of the victim company’s internal network.
Citrix developers have already released a set of measures aimed at compensating for this vulnerability, and also insist on the immediate update of all vulnerable software versions to the recommended ones. In their own security bulletin, December 7, 2019, Citrix representatives warned that exploiting the vulnerability “could allow an unauthenticated attacker to execute arbitrary code.”
“Citrix applications are widely used in corporate networks, including for organizing terminal access for employees to internal company applications from any device via the Internet. Given the high level of risk of the revealed vulnerability and the prevalence of Citrix software in the business environment, we recommend that IS services take immediate measures to eliminate the threat, ”said Dmitry Serebryannikov, director of security analysis at Positive Technologies. – Separately, we want to note the high efficiency of the work of the vendor, which has created and published a set of measures to reduce risks in just two weeks from the moment the vulnerability is identified. Our experience shows that in some cases this period can stretch to months.”