Just before xmas holidays, Citrix released CTX267027 announcing a remote code exection vulnerability with their ADC and Gateway products, formerly NetScaler and NetScaler Gateway.
The vulnerability known as CVE-2019-19781 allows an attacker to execute code on vulnerable gateways and SD-WAN WANOP appliances – even from remote sites and without any authentication. As of now, there’s no fix / patch available from Citrix, but they released CTX267679 explaining mitigation steps. Clearly spoken, Citrix recommends to configure a responder policy to prevent those attacks and bind it globally to your ADC / Gateway instances. The process is described accordingly.
We will keep you informed of any further fixes / patches and new firmware releases. In the meantime: take action, responsibility is yours.
Update: we’ve been very busy in helping customers to get rid of those crypto miners and back doors installed on vulnerable systems. In some cases, a full rebuild of their ADC / Gateway envrionment was needed, some MPX appliances needed to receive new system disks from citrix, others reported a full RMA of their MPX. Colleagues at PTEC and CUCG reported several issues and oddities with the new firmware versions released to fix CVE-2019-19871 vulnerability. Maybe I’ll write a round up and post it here, I dunno …
The firmware updates are available for all ADC / Gateway and SD-WAN WANOP platforms, please find ’em here:
- Citrix ADC / Gateway 13.0 Build 47.24, see https://www.citrix.com/downloads/citrix-adc/firmware/release-13-0-build-47-24.html
- Citrix ADC / Gateway 12.1 Build 55.18, see https://www.citrix.com/downloads/citrix-adc/firmware/release-121-build-5518.html
- Citrix ADC / Gateway 12.0 Build 63.13, see https://www.citrix.com/downloads/citrix-adc/firmware/release-120-build-6313.html
- Citrix ADC / Gateway 11.1 Build 63.15, see https://www.citrix.com/downloads/citrix-adc/firmware/release-111-build-6315.html
- Citrix ADC / Gateway 10.5 Build 70.12, see : https://www.citrix.com/downloads/citrix-adc/firmware/release-105-build-70-12.html
- Citrix SD-WAN WANOP Version 10.2.6b, see https://www.citrix.com/downloads/citrix-sd-wan/sd-wan-wanop-edition/appliance-software-release-102628.html
- Citrix SD-WAN WANOP Version 11.0.3b, see https://www.citrix.com/downloads/citrix-sd-wan/sd-wan-wanop-edition/appliance-software-release-110359.html
Please keep in mind, NSOS 11.0 is not supported anymore, so there’s no updated firmware available. So update all your 10.5 environemtns out there!
Cheers,
Jochen.