- Posted January 08, 2020
- Security Advisories
Critical vulnerability in Citrix products
Details
In late 2019, Citrix released security bulletin CTX267027 detailing a vulnerability (CVE-2019-19781) affecting the following products:
- Citrix Application Delivery Controller (NetScaler ADC) versions 10.5, 11.1, 12.0, 12.1 and 13.0.
- Citrix Gateway (NetScaler Gateway) versions 10.5, 11.1, 12.0, 12.1 and 13.0.
Citrix has rated the severity of this vulnerability as critical, noting it allows for arbitrary code execution in affected versions of Citrix products. Exploitation of this vulnerability could result in full remote compromise of the exposed server and potentially the wider network.
Although updated firmware is not yet available to fix the vulnerability, Citrix has released mitigation steps in a separate article, CTX267679.
Recommendations
The NCSC recommends organisations using the affected products apply the mitigations detailed in Citrix article CTX267679 as soon as possible. Once a fixed version of the firmware is released this should also be applied to all affected devices.
References
- Citrix security bulletin: https://support.citrix.com/article/CTX267027(external link)
- Citrix mitigation steps: https://support.citrix.com/article/CTX267679(external link)
- CVE-2019-19781: https://nvd.nist.gov/vuln/detail/CVE-2019-19781(external link)