Citrix ADC CVE-2019-19781 Public Exploits Available
On December 17, 2019, Citrix published an article describing vulnerability affecting the Citrix Application Delivery Controller (ADC) and Citrix Gateway formerly known as NetScaler ADC and Gateway. The vulnerability was assigned the following CVE number:
- CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution
The vulnerability affects all product versions and all platforms:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Numerous working exploits have already been developed and have made publicly available in numerous locations. The vulnerability allows an attacker to gain full control of the device.
There is no patch currently available for this vulnerability, though Citrix has stated that they are currently being developed. They listed the following timelines:
|Version||Refresh Build||Expected Release Date|
|10.5||10.5.70.x||31st January 2020|
|11.1||11.1.63.x||20th January 2020|
|12.0||12.0.63.x||20th January 2020|
|12.1||12.1.55.x||27th January 2020|
|13.0||13.0.47.x||27th January 2020|
In the interim Citrix has provided mitigations, until the permanent fix is available. The fixes can be found here: https://support.citrix.com/article/CTX267679. IDS systems should also be configured to monitor for this threat. You can test if the mitigations have been applied properly by running the following command:
curl https://<Your Server IP or hostname>/vpn/../vpns/cfg/smb.conf –path-as-is
If you receive a 403 response, it means you properly applied the fix. If you can see the smb.conf, the fix was not applied correctly, and the device is still vulnerable.
Don’t wait, make sure to patch all of your devices now.