Citrix is urging infosec pros to quickly install fixes to versions of its Application Delivery Controller released Sunday to plug a vulnerability that is already being exploited by attackers.
“We urge customers to immediately install these fixes,” the company said on its website.
There are several versions of the controller, it added, and administrators have to apply the correct version fix to each system.
The patches are the first of several permanent fixes being released for the Citrix ADC, formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and certain deployments of two older versions of Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3 that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
Until now admins could only apply mitigations to the vulnerability, called CVE-2019-19781, first announced on December 17.
The initial permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here. Citrix says they also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
All Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) have to be upgraded to build 220.127.116.11 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 18.104.22.168 to install the security vulnerability fixes.
Permanent fixes for other ADC versions and for SD-WAN WANOP will be released sooner than previously announced. The patches for ADC version 12.1, version 13 and 10.5 will all now be released January 24. In the meantime, the previously announced mitigations need to be applied for those products.
According to FireEye it hasn’t taken long for attackers to try to exploit the vulnerability.
“After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity,” FireEye said last week.
Interestingly, it added, one threat actor has recently been getting into Citrix devices vulnerable to this exploit and blocking others from using it. At the same time, though, it deploys a previously-unseen backdoor to NetScaler devices. FireEye suspects that attackers may be quietly collecting access to NetScaler devices for a subsequent campaign.