On the 17th of December 2019 Citrix released security bulletin CTX267027: A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that could lead to arbitrary code execution.
When the advisory was released Coffee Cup Solutions sprung into action to ensure our customers were aware and taking steps to mitigate the risk of this vulnerability.
In line with responsible disclosure of a vulnerability Citrix limited the amount of information about the potential exploit so as not to trigger a tidal wave of public exploitation. At the end of December Coffee Cup Solutions were able to replicate the exploit in our labs to assess the probability, ease and impact of exploitation and assessed that if unpatched:
- This vulnerability is trivial to exploit by a malicious party remotely
- The impact to this vulnerability on the appliance is severe
- It was easy to detect vulnerable appliances on the public internet
On the 11th of January 2020 exploit code was released publicly by several sources at which point mass scanning for this vulnerability and exploitation of the vulnerability was detected globally.
As such we wanted to try and broaden our audience and spread the word to make sure people take necessary steps to prevent exploitation.
For customers running Citrix ADC Standard or above the Citrix ADC Responder feature can be utilised to mitigate this exploit using the following steps:
https://support.citrix.com/article/CTX267679
For customers running Citrix Gateway (formally NetScaler Gateway or Access Gateway Enterprise) there are currently no official mitigating steps released by Citrix as this license does not include the Responder feature used in the Citrix Mitigation however Coffee Cup Solutions have a mitigation solution that can be applied to specific Gateway configurations without impacting service
Citrix have announced the following release dates for a permanent fix, Coffee Cup Solutions strongly recommends that this is applied when released due to the ease of detection, severe impact and high probability of compromise.
| Version | Fix release date |
| 13 | 27-Jan-2020 |
| 12.1 | 27-Jan-2020 |
| 12 | 20-Jan-2020 |
| 11.1 | 20-Jan-2020 |
| 10.5 | 31-Jan-2020 |
If you, or your customers, are running Citrix ADC (formally NetScaler) or Citrix Gateway (formally NetScaler Gateway or Access Gateway Enterprise) and need assistance with:
- Detecting if you are vulnerable
- Detecting if you have already been exploited and assisting with post exploitation assessment and remediation
- Require assistance applying mitigating steps
- Require assistance applying the permanent fix when released
- Have any other questions about Citrix ADC products
Please contact on us 0118 38 42 175 or email [email protected]
More details:
Citrix Ref: CTX267027
CVE: CVE-2019-19781
Affected Appliances:
The vulnerability affects all supported product versions and all supported platforms:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds