Citrix ADC CVE-2019-19781 Public Exploits Available

On December 17, 2019, Citrix published an article describing vulnerability affecting the Citrix Application Delivery Controller (ADC) and Citrix Gateway formerly known as NetScaler ADC and Gateway. The vulnerability was assigned the following CVE number:

  • CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution

The vulnerability affects all product versions and all platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Numerous working exploits have already been developed and have made publicly available in numerous locations. The vulnerability allows an attacker to gain full control of the device.

There is no patch currently available for this vulnerability, though Citrix has stated that they are currently being developed. They listed the following timelines:

Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020

In the interim Citrix has provided mitigations, until the permanent fix is available. The fixes can be found here: https://support.citrix.com/article/CTX267679. IDS systems should also be configured to monitor for this threat. You can test if the mitigations have been applied properly by running the following command:

curl https://<Your Server IP or hostname>/vpn/../vpns/cfg/smb.conf –path-as-is

If you receive a 403 response, it means you properly applied the fix. If you can see the smb.conf, the fix was not applied correctly, and the device is still vulnerable.

Don’t wait, make sure to patch all of your devices now.