Stefan Mileschin

Until patch comes out

The Dutch National Cyber Security Centre (NCSC) has taken the unusual step of warning organisations running Citrix ADC and Gateway servers to shut down their machines until Citrix releases a fully working patch for a CVE-2019-19781 vulnerability.

"If the impact of switching off the Citrix ADC and Gateway servers is not acceptable, the advice is to closely monitor for possible abuse", according to te NCSC advisory on its website.
"As a last risk-limiting measure you can still look at whitelisting of specific IP addresses or IP blocks", it added.

The advisory from the Dutch NCSC comes following Citrix's admission that its mitigation measures for CVE-2019-19781 are unable to provide security against exploits on some installations running older firmware.

The company revealed that Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 are vulnerable as the bug "affects responder and rewrite policies bound to VPN virtual servers causing them not to process the packets that matched policy rules".

Citrix recommends customers update their product to an unaffected build and then apply the mitigation steps. It said that after a detailed analysis of the security vulnerability, it found that it impacts the Wan Optimisation (WANOP) edition of the Citrix SD-WAN appliance (models 4000, 4100, 5000, and 5100 all supported builds).

CVE-2019-19781, which has severity score of 9.8 out of 10, was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

The issue impacts Citrix Application Delivery Controller (earlier known as NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) and could allow attackers to execute arbitrary code on vulnerable machines via directory traversal, without requiring authentication.

https://fudzilla.com/news/50141-citr...t-be-shut-down