On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0 to address CVE-2019-19781. Citrix released updates for vulnerable SD-WAN WANOP appliances on January 22, 2020. Citrix expects to release updates for other vulnerable versions of Citrix ADC and Gateway on January 24, 2020. (See Mitigations for update schedule).[1]
A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible once the appropriate firmware update becomes available.
On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:
Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781 on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[12]
See the National Security Agency's Cybersecurity Advisory on CVE-2020-19781 for other detection measures.[13]
CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[14] CISA encourages administrators to visit CISA's GitHub page to download and run the tool.
CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.
The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC, Citrix Gateway, and Citrix SD-WAN.
Until the appropriate update is accessible, users and administrators should apply Citrix's interim mitigation steps for CVE-2019-19781.[15] Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[16]
Refer to table 1 for Citrix's planned fix schedule.[17]
Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781
| Vulnerable Appliance | Firmware Update | Release Date |
|---|---|---|
| Citrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.x | January 24, 2020 (Expected) |
| Citrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 |
| Citrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 |
| Citrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.x | January 24, 2020 (Expected) |
| Citrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.x | January 24, 2020 (Expected) |
| Citrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 |
| Citrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 |
Administrators should review NSA's Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:
"Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged."