Citrix released permanent fixes for the actively exploited CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances and allowing unauthenticated attackers to perform arbitrary code execution.

"Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here," Citrix's CISO Fermin J. Serna says in an update published today.

"These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.

It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes."

Important updates on the #CitrixADC, Citrix Gateway vulnerability: (1) Permanent fixes for ADC v11.1 & 12. (2) We have moved forward the availability of permanent fixes for other ADC versions & SD-WAN WANOP from previous target dates. #CVE201919781https://t.co/20c9u3oh8h — Citrix (@citrix) January 19, 2020

Accelerated firmware update timeline

Besides releasing these permanent fixes for the CVE-2019-19781 flaw, Citrix also says that it has fast-forwarded the "availability of permanent fixes for other ADC versions and for SD-WAN WANOP," with the new dates being moved to:

• ADC version 12.1, now January 24

• ADC version 13 and ADC version 10.5, now January 24

• SD-WAN WANOP fixes, now January 24

The new firmware update timeline is available below:

Citrix ADC and Citrix Gateway Version Refresh Build Release Date 11.1 11.1.63.15 January 19, 2020 12.0 12.0.63.13 January 19, 2020 12.1 12.1.55.x January 24, 2020 10.5 10.5.70.x January 24, 2020 13.0 13.0.47.x January 24, 2020 Citrix SD-WAN WANOP Release Citrix ADC Release Release Date 10.2.6 11.1.51.615 January 24, 2020 11.0.3 11.1.51.615 January 24, 2020

Citrix advises all customers to apply mitigation measures to ADC versions 12.1, 13, 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 appliances until a permanent fix will be available.

"Once complete, you can use the tool we have previously provided to ensure the mitigations have successfully been applied," Serna added.

"While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible."

"We are urging customers to apply these fixes immediately and have amped up our support staff to help them if necessary," Citrix Corporate Communications and Media Relations Karen Master told BleepingComputer.

Vulnerable Citrix appliances under attack

An unknown threat actor is scanning for and securing Citrix ADC servers against CVE-2019-19781 exploitation attempts, at the same deploying a backdoor to maintain future access as FireEye researchers discovered.

"FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign," the report says.

More than 25,000 vulnerable Citrix endpoints were found by security firm Bad Packets roughly a week ago, with around 1,000 of them from the U.S. and thousands more in Germany, the United Kingdom, Switzerland, and Australia.

Opportunistic scanning activity continues to target Citrix (NetScaler) servers vulnerable to CVE-2019-19781.



This critical vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the targeted server. #threatintel https://t.co/Ba1muwe7ny — Bad Packets Report (@bad_packets) January 13, 2020

Scans for Citrix appliances vulnerable to attacks started on January 8 according to security experts, while proof-of-concept (PoC) exploits were made public just two days later.

The Cybersecurity and Infrastructure Security Agency (CISA) released its own public domain tool designed to enable security staff to test if their organizations' servers are vulnerable on January 13, while the Dutch National Cybersecurity Centre (NCSC) advised companies four days ago to shut down vulnerable Citrix appliances until a reliable fix is available.

Update January 19, 17:04 EST: Added info on ongoing attacks.

Update January 22, 17:39 EST: Citrix released another series of permanent fixes for the impacted versions of Citrix SD-WAN WANOP, available for download here.

To apply the security vulnerability fix, you need to upgrade all Citrix SD-WAN WANOP versions to build 10.2.6b or 11.0.3b as appropriate. These fixes are ONLY applicable to the SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. All other SD-WAN PE and SD-WAN SE platforms are not impacted by this vulnerability and do not need to be patched.

Update January 23, 17:40 EST: Citrix released another series of permanent CVE-2019-19781 fixes for Citrix ADC (NetScaler ADC) and Citrix Gateway versions 12.1 and 13.0, available for download here (ADC) and here (Gateway).