Vulnerability in Citrix ADC and Gateway: If you run Citrix in your network, this is a must-read
It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix ADC and Gateway solutions from getting hacked by remote attackers. A patch is expected in the coming weeks for versions 10.5 through 13.x – in the meantime, it’s critical that you adhere to the mitigation steps outlined in this article.
As you may be aware, Citrix released an article last month identifying a path traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway. This flaw, labeled CVE-2019-19781, places any corresponding system at risk of attack, allowing unauthenticated users to potentially gain remote code execution.
And, this is no small-scale issue – over 125,000 Citrix ADC or Gateway hosts are publicly accessible.
Attackers are aware of the flaw, intently searching for vulnerable hosts. Now, several exploit scripts are also available that enable CVE-2019-19781. Many organizations are already reporting exploitation attempts. Several organizations have even revealed how they identified attackers or how they were able to achieve limited file writing on vulnerable hosts in trials themselves. Successful attempts often use requests with these paths:
Until a permanent fix is available (expected in the coming weeks for versions 10.5 through 13.x), take these steps in the interim to mitigate attempts of attack. The steps involve running a series of commands from the command line interface of the appliance to create a responder action and policy – the priority of which should be set to 1 – and a precautionary reboot. These actions should thwart potential attackers and return some of their requests with HTTP 403 FORBIDDEN responses.
Inaction is risky
The bottom line – this vulnerability is becoming more widely known, and if you use Citrix ADC or Gateway, it is critical to take action now. At the very least, organizations should apply Citrix’s mitigation steps as soon as possible but we strongly encourage you to also check for any scanning or arbitrary code execution that may have already happened.
Questions around this issue and how to protect your organization? Please email firstname.lastname@example.org