Recently, CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance was released to the public. https://support.citrix.com/article/CTX267027.
There is a vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and the Citrix Gateway, formerly known as NetScaler Gateway. Should this vulnerability be exploited an unauthenticated attacker could perform an arbitrary code injection.
The vulnerability affects the following supported product versions on all supported platforms:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds before 18.104.22.168
- NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 22.214.171.124
- NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 126.96.36.199
- NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 188.8.131.52
- NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
What You Should Do
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments.
Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new fixes are available.
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: CTX267679 – Mitigation steps for CVE-2019-19781
Upon application of the mitigation steps, customers may then verify correctness using the tool published here: CTX269180 – CVE-2019-19781 – Verification Tool
Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule.
The fixed builds can be downloaded from: